CICS Transaction Gateway V5 The WebSphere ... - IBM Redbooks
CICS Transaction Gateway V5 The WebSphere ... - IBM Redbooks
CICS Transaction Gateway V5 The WebSphere ... - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> <strong>WebSphere</strong> Connector for <strong>CICS</strong><br />
Install and configure the <strong>CICS</strong> TG on z/OS,<br />
Linux, and Windows<br />
Configure TCP/IP, TCP62, APPC or<br />
EXCI connections to <strong>CICS</strong> TS V2.2<br />
Deploy J2EE applications to<br />
<strong>WebSphere</strong> Application Server V4<br />
on z/OS or Windows<br />
ibm.com/redbooks<br />
Front cover<br />
Phil Wakelin<br />
John Joro<br />
Kevin Kinney<br />
David Seager
International Technical Support Organization<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> <strong>WebSphere</strong> Connector for <strong>CICS</strong><br />
August 2002<br />
SG24-6133-01
Note: Before using this information and the product it supports, read the information in<br />
“Notices” on page ix.<br />
Second Edition (August 2002)<br />
This document updated on June 26, 2009.<br />
This edition applies to <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.0 and <strong>CICS</strong> <strong>Transaction</strong> Server for z/OS<br />
V2.2 for use on the z/OS and Windows operating systems.<br />
© Copyright International Business Machines Corporation 2001 2002. All rights reserved.<br />
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule<br />
Contract with <strong>IBM</strong> Corp.
Contents<br />
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix<br />
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x<br />
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi<br />
<strong>The</strong> team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii<br />
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii<br />
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii<br />
Summary of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv<br />
August 2002, Second Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv<br />
Part 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.1 <strong>CICS</strong> TG: Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
1.1.1 Client daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
1.1.2 <strong>Gateway</strong> daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
1.1.3 Configuration Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
1.1.4 Terminal Servlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
1.2 <strong>CICS</strong> TG: Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.2.1 External Call Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
1.2.2 External Presentation Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
1.2.3 External Security Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Part 2. Configuring <strong>CICS</strong> connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Chapter 2. APPC connections to <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.1 Introduction to APPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
2.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
2.2 APPC connections in <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
2.2.1 <strong>CICS</strong> CONNECTION definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
2.2.2 <strong>CICS</strong> SESSIONS definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
2.2.3 <strong>CICS</strong> connection autoinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
2.3 APPC connections and VTAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
2.3.1 VTAM application major node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
2.3.2 VTAM logon mode table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
2.3.3 VTAM switched major node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
2.4 Configuring <strong>IBM</strong> Personal Communications . . . . . . . . . . . . . . . . . . . . . . . 28<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. iii
iv <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2.5 APPC definitions for the <strong>CICS</strong> TG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
2.6 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
2.6.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
2.6.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
3.1 Introduction to TCP62 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
3.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
3.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
3.2 APPC connections in <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
3.3 VTAM definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
3.4 TCP62 definitions for the <strong>CICS</strong> TG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
3.5 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
3.5.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
3.5.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
Chapter 4. EXCI connections to <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
4.1 Introduction to EXCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
4.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.1.2 Definitions checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.2 EXCI connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.2.1 EXCI CONNECTION definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
4.2.2 EXCI SESSIONS definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70<br />
4.2.3 EXCI options table: DFHXCOPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
4.2.4 EXCI user-replaceable module: DFHXCURM. . . . . . . . . . . . . . . . . . 73<br />
4.2.5 <strong>Transaction</strong>al EXCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
4.3 EXCI definitions for the <strong>CICS</strong> TG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74<br />
4.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
4.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
4.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . 81<br />
5.1 Introduction to ECI over TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82<br />
5.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83<br />
5.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
5.2 TCP/IP definitions for <strong>CICS</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
5.3 TCP/IP definitions for the <strong>CICS</strong> TG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
5.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
5.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90<br />
5.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97<br />
Chapter 6. <strong>CICS</strong> TG security scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . 99<br />
6.1 Introduction to <strong>CICS</strong> security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100<br />
6.2 <strong>CICS</strong> TG security scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.1 ECI to <strong>CICS</strong> TG for z/OS (EXCI). . . . . . . . . . . . . . . . . . . . . . . . . . . 102<br />
6.2.2 ECI to <strong>CICS</strong> TG for Windows (TCP/IP). . . . . . . . . . . . . . . . . . . . . . 112<br />
6.2.3 EPI to <strong>CICS</strong> TG for Windows (TCP62) . . . . . . . . . . . . . . . . . . . . . . 115<br />
6.3 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126<br />
6.3.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126<br />
Part 3. <strong>Gateway</strong> daemon scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS. . . . . . . . 133<br />
7.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
7.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
7.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
7.1.3 <strong>CICS</strong> configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136<br />
7.1.4 Installation of the <strong>CICS</strong> TG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136<br />
7.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146<br />
7.2.1 Defining <strong>CICS</strong> TG environmental variables . . . . . . . . . . . . . . . . . . 148<br />
7.2.2 Defining <strong>CICS</strong> TG configuration parameters. . . . . . . . . . . . . . . . . . 153<br />
7.2.3 EXCI pipe usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
7.3 Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
7.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
7.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
7.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS . . . . . . . . 185<br />
8.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186<br />
8.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187<br />
8.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
8.2.1 Configuring the server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 191<br />
8.2.2 Configuring the client keyring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.2.3 Configuring the <strong>CICS</strong> TG for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
8.3 Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
8.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
8.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
8.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux . . . . . . . 213<br />
9.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
9.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
9.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.1.3 Installation of the <strong>CICS</strong> TG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
9.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220<br />
9.3 Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224<br />
9.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
Contents v
vi <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
9.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
9.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
Part 4. <strong>WebSphere</strong> scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS . . . . 237<br />
10.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
10.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
10.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
10.2 <strong>WebSphere</strong> configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244<br />
10.2.1 J2EE Server configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
10.2.2 HTTP Server definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
10.2.3 System Management End-User Interface . . . . . . . . . . . . . . . . . . . 247<br />
10.2.4 Installing the <strong>CICS</strong> ECI resource adapter . . . . . . . . . . . . . . . . . . . 250<br />
10.2.5 Deploying our sample enterprise applications . . . . . . . . . . . . . . . 258<br />
10.3 Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266<br />
10.3.1 HTTP Transport Handler testing . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
10.3.2 HTTP Server and basic authentication testing . . . . . . . . . . . . . . . 274<br />
10.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281<br />
10.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281<br />
10.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 289<br />
11.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
11.1.1 Software checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292<br />
11.1.2 Definitions checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293<br />
11.1.3 Installing <strong>WebSphere</strong> Application Server . . . . . . . . . . . . . . . . . . . 293<br />
11.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294<br />
11.2.1 Starting the administrative console . . . . . . . . . . . . . . . . . . . . . . . . 294<br />
11.2.2 Installing the <strong>CICS</strong> ECI resource adapter . . . . . . . . . . . . . . . . . . . 295<br />
11.2.3 Deploying our sample enterprise applications . . . . . . . . . . . . . . . 299<br />
11.3 Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309<br />
11.3.1 Local testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309<br />
11.3.2 Remote testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316<br />
11.4 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318<br />
11.4.1 Tips and utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318<br />
11.4.2 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321<br />
Part 5. Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327<br />
Appendix A. DFHCNV and <strong>CICS</strong> data conversion . . . . . . . . . . . . . . . . . . 329<br />
ECI applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330<br />
EPI applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Appendix B. Sample applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337<br />
<strong>The</strong> CTGTesterECI application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338<br />
Application overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338<br />
<strong>The</strong> CTGTesterCCI application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355<br />
Application overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356<br />
Appendix C. Additional material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389<br />
Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389<br />
System requirements for downloading the Web material . . . . . . . . . . . . . 389<br />
Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390<br />
Importing CTGTesterECI into <strong>WebSphere</strong> Studio . . . . . . . . . . . . . . . . . . 391<br />
Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405<br />
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407<br />
<strong>IBM</strong> <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407<br />
Other resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407<br />
Referenced Web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408<br />
How to get <strong>IBM</strong> <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408<br />
<strong>IBM</strong> <strong>Redbooks</strong> collections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411<br />
Contents vii
viii <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Notices<br />
This information was developed for products and services offered in the U.S.A.<br />
<strong>IBM</strong> may not offer the products, services, or features discussed in this document in other countries. Consult<br />
your local <strong>IBM</strong> representative for information on the products and services currently available in your area.<br />
Any reference to an <strong>IBM</strong> product, program, or service is not intended to state or imply that only that <strong>IBM</strong><br />
product, program, or service may be used. Any functionally equivalent product, program, or service that<br />
does not infringe any <strong>IBM</strong> intellectual property right may be used instead. However, it is the user's<br />
responsibility to evaluate and verify the operation of any non-<strong>IBM</strong> product, program, or service.<br />
<strong>IBM</strong> may have patents or pending patent applications covering subject matter described in this document.<br />
<strong>The</strong> furnishing of this document does not give you any license to these patents. You can send license<br />
inquiries, in writing, to:<br />
<strong>IBM</strong> Director of Licensing, <strong>IBM</strong> Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.<br />
<strong>The</strong> following paragraph does not apply to the United Kingdom or any other country where such<br />
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION<br />
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR<br />
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,<br />
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer<br />
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.<br />
This information could include technical inaccuracies or typographical errors. Changes are periodically made<br />
to the information herein; these changes will be incorporated in new editions of the publication. <strong>IBM</strong> may<br />
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at<br />
any time without notice.<br />
Any references in this information to non-<strong>IBM</strong> Web sites are provided for convenience only and do not in any<br />
manner serve as an endorsement of those Web sites. <strong>The</strong> materials at those Web sites are not part of the<br />
materials for this <strong>IBM</strong> product and use of those Web sites is at your own risk.<br />
<strong>IBM</strong> may use or distribute any of the information you supply in any way it believes appropriate without<br />
incurring any obligation to you.<br />
Information concerning non-<strong>IBM</strong> products was obtained from the suppliers of those products, their published<br />
announcements or other publicly available sources. <strong>IBM</strong> has not tested those products and cannot confirm<br />
the accuracy of performance, compatibility or any other claims related to non-<strong>IBM</strong> products. Questions on<br />
the capabilities of non-<strong>IBM</strong> products should be addressed to the suppliers of those products.<br />
This information contains examples of data and reports used in daily business operations. To illustrate them<br />
as completely as possible, the examples include the names of individuals, companies, brands, and products.<br />
All of these names are fictitious and any similarity to the names and addresses used by an actual business<br />
enterprise is entirely coincidental.<br />
COPYRIGHT LICENSE:<br />
This information contains sample application programs in source language, which illustrates programming<br />
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in<br />
any form without payment to <strong>IBM</strong>, for the purposes of developing, using, marketing or distributing application<br />
programs conforming to the application programming interface for the operating platform for which the<br />
sample programs are written. <strong>The</strong>se examples have not been thoroughly tested under all conditions. <strong>IBM</strong>,<br />
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,<br />
modify, and distribute these sample programs in any form without payment to <strong>IBM</strong> for the purposes of<br />
developing, using, marketing, or distributing application programs conforming to <strong>IBM</strong>'s application<br />
programming interfaces.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. ix
Trademarks<br />
<strong>IBM</strong>, the <strong>IBM</strong> logo, and ibm.com are trademarks or registered trademarks of International Business<br />
Machines Corporation in the United States, other countries, or both. <strong>The</strong>se and other <strong>IBM</strong> trademarked<br />
terms are marked on their first occurrence in this information with the appropriate symbol (® or ),<br />
indicating US registered or common law trademarks owned by <strong>IBM</strong> at the time this information was<br />
published. Such trademarks may also be registered or common law trademarks in other countries. A current<br />
list of <strong>IBM</strong> trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml<br />
<strong>The</strong> following terms are trademarks of the International Business Machines Corporation in the United States,<br />
other countries, or both:<br />
AIX®<br />
AnyNet®<br />
<strong>CICS</strong>Plex®<br />
<strong>CICS</strong>®<br />
DB2 Universal Database<br />
DB2®<br />
<strong>IBM</strong>®<br />
x <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
OS/390®<br />
Parallel Sysplex®<br />
RACF®<br />
<strong>Redbooks</strong>®<br />
<strong>Redbooks</strong> (logo)<br />
S/390®<br />
SecureWay<br />
<strong>The</strong> following terms are trademarks of other companies:<br />
System/390®<br />
VisualAge®<br />
VTAM®<br />
<strong>WebSphere</strong>®<br />
z/OS®<br />
zSeries®<br />
Intel Pentium, Intel, Pentium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered<br />
trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.<br />
Interchange, Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in<br />
the U.S. and other countries.<br />
Internet Explorer, Microsoft, Windows NT, Windows, and the Windows logo are trademarks of Microsoft<br />
Corporation in the United States, other countries, or both.<br />
EJB, Enterprise JavaBeans, J2EE, Java, JavaBeans, JavaServer, JDBC, JDK, JNI, JSP, JVM, Solaris, Sun,<br />
and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other<br />
countries, or both.<br />
UNIX is a registered trademark of <strong>The</strong> Open Group in the United States and other countries.<br />
Other company, product, and service names may be trademarks or service marks of others.
Preface<br />
<strong>The</strong> <strong>CICS</strong>® <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) is widely used to provide access to<br />
<strong>CICS</strong> COMMAREA-based programs and 3270 transactions from Java<br />
environments. This <strong>IBM</strong>® Redbook shows you how to build a robust <strong>CICS</strong> TG<br />
configuration for a variety of different configurations.<br />
First we introduce the facilities of the <strong>CICS</strong> TG, followed by step-by-step<br />
explanations of how to use the different protocols (TCP/IP, TCP62, APPC, and<br />
EXCI) used for communication with a <strong>CICS</strong> TS V2.2 region on z/OS®, and how<br />
to secure your <strong>CICS</strong> region when receiving External Call Interface (ECI) or<br />
External Presentation Interface (EPI) requests.<br />
Next, we provide details on how to configure the <strong>CICS</strong> TG <strong>V5</strong> on either z/OS or<br />
Linux to connect a Java client application to a <strong>CICS</strong> region. <strong>The</strong> use of the<br />
Secure Sockets Layer (SSL) protocol to encrypt the communication from the<br />
Java application to the <strong>CICS</strong> TG is included in these scenarios.<br />
Finally, we offer two scenarios to illustrate how to configure <strong>WebSphere</strong>®<br />
Application Server V4 on the Windows or z/OS platforms, to use the supplied ECI<br />
resource adapter to allow J2EE applications to make ECI calls to <strong>CICS</strong>.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. xi
<strong>The</strong> team that wrote this redbook<br />
xii <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
This redbook was produced by a team of specialists from around the world<br />
working at the International Technical Support Organization, San Jose Center.<br />
.<br />
<strong>The</strong> authors: Phil, Dave, Kevin, and John<br />
Phil Wakelin is a Senior I/T Specialist at the International Technical Support<br />
Organization, San Jose Center, and has more than 12 years’ experience working<br />
on most platforms and versions of <strong>CICS</strong>. He writes extensively and has taught<br />
<strong>IBM</strong> classes about many areas of <strong>CICS</strong>, specializing in <strong>CICS</strong> Web-enablement<br />
and client-server technology. Before joining the ITSO, Phil worked in the<br />
Installation Support Center, <strong>IBM</strong> UK as pre-sales support and in the <strong>CICS</strong><br />
System Test department of the <strong>IBM</strong> Hursley Laboratory in the UK.<br />
John Joro is an I/T Specialist at <strong>IBM</strong> Global Services in Finland. He has 15<br />
years of experience working on OS/390® with <strong>CICS</strong> and <strong>CICS</strong>Plex® SM.<br />
Kevin Kinney is a senior systems programmer at Unisure in Cincinnati, Ohio. He<br />
has 15 years of experience in mainframe technologies and has worked at<br />
Unisure for six years. His areas of expertise include everything OS/390.<br />
David Seager is a Software Engineer in Hursley, UK. He has five years of<br />
experience working in the transaction processing field. He holds a degree in<br />
physics from Oxford University. His areas of expertise include Java, all things<br />
object-oriented, and many different platforms. He has written several<br />
DeveloperWorks articles on many different Internet technologies.<br />
Thanks to the following people for their contributions to this project:<br />
Geoff Sharman, Chris Smith, Jon Butts, <strong>IBM</strong> Hursley for supporting this project.
Richard Johnson, Robert Jerrom, Kate Robinson, Daniel McGinnes, Dave<br />
Kesley, Innes Reed, Simon Knights, David Radley, and Darren Beard, all of the<br />
<strong>IBM</strong> Hursley Lab, for explaining the workings of the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>.<br />
Nigel Williams of <strong>IBM</strong> Montpellier, Kevin Senior of <strong>IBM</strong> Italy, and Holger<br />
Wunderlich of ITSO Poughkeepsie, for insight into <strong>WebSphere</strong> security on z/OS.<br />
Mark Endrei of ITSO Raleigh, Jim Grauel of <strong>IBM</strong> Raleigh, and Steve Wall of <strong>IBM</strong><br />
Montpelier for their review comments.<br />
Rich Conway, Bob Haimowitz, and Dave Bennin of the ITSO for providing<br />
excellent systems support.<br />
Steve Day, Frances McKenna, and Shannan Read, who were the authors of the<br />
previous version of this <strong>IBM</strong> Redbook.<br />
Become a published author<br />
Join us for a two- to six-week residency program! Help write an <strong>IBM</strong> Redbook<br />
dealing with specific products or solutions, while getting hands-on experience<br />
with leading-edge technologies. You'll team with <strong>IBM</strong> technical professionals,<br />
Business Partners and/or customers.<br />
Your efforts will help increase product acceptance and customer satisfaction. As<br />
a bonus, you'll develop a network of contacts in <strong>IBM</strong> development labs, and<br />
increase your productivity and marketability.<br />
Find out more about the residency program, browse the residency index, and<br />
apply online at:<br />
Comments welcome<br />
ibm.com/redbooks/residencies.html<br />
Your comments are important to us!<br />
We want our <strong>Redbooks</strong>® to be as helpful as possible. Send us your comments<br />
about this or other <strong>Redbooks</strong> in one of the following ways:<br />
► Use the online Contact us review redbook form found at:<br />
ibm.com/redbooks<br />
► Send your comments in an Internet note to:<br />
redbook@us.ibm.com<br />
Preface xiii
► Mail your comments to:<br />
xiv <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>IBM</strong> Corporation, International Technical Support Organization<br />
Dept. QXXE Building 80-E2<br />
650 Harry Road<br />
San Jose, California 95120-6099
Summary of changes<br />
This section describes the technical changes made in this edition of the book and<br />
in previous editions. This edition may also include minor corrections and editorial<br />
changes that are not identified.<br />
Summary of Changes<br />
for SG24-6133-01<br />
for <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
as created or updated on June 26, 2009.<br />
August 2002, Second Edition<br />
This revision reflects the addition, deletion, or modification of new and changed<br />
information described below.<br />
New and changed information<br />
<strong>The</strong> following topics have been added or modified in this Second Edition:<br />
► Use of <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.0<br />
► Use of <strong>CICS</strong> TS V2.2, including ECI over TCP/IP support<br />
► <strong>CICS</strong> ECI and EPI security scenarios<br />
► Dynamic trace facility in <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.0<br />
► Use of <strong>Gateway</strong> daemon on Linux<br />
► Use of multiple <strong>Gateway</strong> daemons on z/OS<br />
► Use of transactional EXCI<br />
► <strong>WebSphere</strong> Application Server V4.01 for z/OS and OS/390<br />
► <strong>WebSphere</strong> Application Server V4.03 for Windows<br />
► Use of JSSE for 128-bit Secure Sockets Layer support, in place of SSLight<br />
► TCP62 dynamic LU name generation, including the tcp62locallu utility<br />
► Call<strong>CICS</strong> servlet sample, replaced with CTGTesterECI and CTGTesterCCI<br />
samples<br />
Note: In December 2002, this version was updated with minor technical<br />
corrections.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. xv
xvi <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Part 1 Introduction<br />
Part 1<br />
In this part, we give a broad overview of the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, the Java<br />
programming interfaces it offers, and the means of connecting the <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong> to <strong>CICS</strong> regions on z/OS.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 1
2 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
This chapter gives a broad overview of the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
(<strong>CICS</strong> TG) and the features and functions it provides.<br />
<strong>The</strong> following topics are discussed:<br />
► <strong>CICS</strong> TG interfaces<br />
► <strong>Gateway</strong> daemon<br />
► Client daemon<br />
► Configuration Tool<br />
► Terminal Servlet<br />
1<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 3
1.1 <strong>CICS</strong> TG: Infrastructure<br />
4 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) is a set of client and server software<br />
components that allow a Java application to invoke services in a <strong>CICS</strong> region.<br />
<strong>The</strong> Java application can be an applet, a servlet, an enterprise bean, or any other<br />
Java application (Figure 1-1).<br />
<strong>The</strong> latest edition of the <strong>CICS</strong> TG is <strong>V5</strong>.00, and the currently supported platforms<br />
are: z/OS, OS/390, Linux for S/390®, AIX®, HP-UX, Sun Solaris, Windows NT,<br />
and Windows 2000.<br />
<strong>The</strong> <strong>CICS</strong> TG is supported for use with <strong>CICS</strong>/ESA V4.1, <strong>CICS</strong>/VSE 2.3 and<br />
<strong>CICS</strong> <strong>Transaction</strong> Server (<strong>CICS</strong> TS) for VSE/ESA V1, but only if the <strong>CICS</strong> TG<br />
runs on a distributed platform. For use with <strong>CICS</strong> TS V1 for OS/390 or <strong>CICS</strong> TS<br />
V2 for z/OS, the <strong>CICS</strong> TG can run on z/OS, OS/390, or a distributed platform.<br />
For product information on using <strong>CICS</strong> TG, refer to the <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> Administration Guides.<br />
Java client<br />
application<br />
HTTP<br />
or<br />
TCP<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong><br />
<strong>Gateway</strong><br />
daemon<br />
ECI EPI<br />
JNI<br />
Client daemon<br />
Transport drivers<br />
Figure 1-1 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> components<br />
<strong>The</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> consists of the following principal components:<br />
► <strong>Gateway</strong> daemon<br />
► Client daemon<br />
► Configuration Tool (ctgcfg)<br />
► Terminal Servlet<br />
► Java class library<br />
ESI<br />
CTG.INI<br />
Network<br />
Configuration<br />
tool<br />
ctgcfg<br />
<strong>CICS</strong><br />
server
1.1.1 Client daemon<br />
<strong>The</strong> <strong>CICS</strong> TG Client daemon is an integral part of the <strong>CICS</strong> TG on all distributed<br />
platforms. It provides the <strong>CICS</strong> client-server connectivity using the same<br />
technology as previously provided by the <strong>CICS</strong> Universal Client. On distributed<br />
platforms, connections to the following <strong>CICS</strong> servers are supported:<br />
► APPC connections from Windows and AIX platforms to all <strong>CICS</strong> platforms<br />
► TCP62 (LU 6.2 over IP) connections to <strong>CICS</strong>/ESA V4.1, <strong>CICS</strong> TS V1.2 and<br />
<strong>CICS</strong> TS V1.3 for OS/390, and <strong>CICS</strong> TS for z/OS V2<br />
► TCP/IP connections to <strong>CICS</strong> TS for z/OS V2.2, <strong>CICS</strong> TS for VSE/ESA V1.1.1<br />
the TXSeries <strong>CICS</strong> Servers (AIX, Sun Solaris, Windows NT, and HP-UX) and<br />
<strong>CICS</strong> OS/2 <strong>Transaction</strong> Server<br />
For further details on supported platforms and required service levels, refer to the<br />
appropriate announcement letters available at the following URL:<br />
http://www-4.ibm.com/software/ts/cics/announce/<br />
<strong>The</strong> Client daemon runs in the background as the cclclnt process. Interaction<br />
with the Client daemon is provided by the cicscli executable, which can be used<br />
to start, stop and query the Client daemon, among other functions. <strong>The</strong><br />
command cicscli -? lists the cicscli command options, as shown in<br />
Example 1-1.<br />
On the Windows platform, the Client daemon can run as a Windows service. <strong>The</strong><br />
ability to run as a service is provided by the cclserv.exe executable, which is<br />
registered as a service during <strong>CICS</strong> TG installation. <strong>The</strong> Client daemon can be<br />
started and stopped using the Windows Service Control Manager.<br />
Example 1-1 Options for the cicscli command<br />
C:\>cicscli -?<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL8002I Command options are:<br />
CCL8003I -S[=server] - Start the client [and connect to a server]<br />
CCL8004I -X[=server] - Close the client [or server connection]<br />
CCL8005I -I[=server] - Abort the client [or server connection]<br />
CCL8006I -L - List active server connections<br />
CCL8007I -D[=size] - Enable service tracing [and set size limit]<br />
CCL8008I -O - Disable all service tracing<br />
CCL8009I -C=server - Specify the server for security changes<br />
CCL8010I Must specify with one or both of /U and /P<br />
CCL8011I -U[=userid] - Set the userid to be used with a server<br />
CCL8012I -P[=password] - Set the password to be used with a server<br />
CCL8013I -N - Suppress client pop-ups<br />
CCL8014I -E - Activate client pop-ups<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> 5
6 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
CCL8015I -W - Wait for confirmation before completing<br />
CCL8016I -Q - Inhibit all output messages<br />
CCL8017I -V - Display client version information<br />
CCL8018I -Y - Perform a controlled restart of the client<br />
CCL8019I -J - Perform an immediate restart of the client<br />
CCL8020I -M[=components] - Specify the components to trace<br />
CCL8021E<br />
CCL8023I <strong>CICS</strong>CLI performed no action<br />
<strong>The</strong> cicscli -l command can be used to list which <strong>CICS</strong> servers are in use by<br />
the Client daemon, as shown in Example 1-2.<br />
Example 1-2 Output from the cicscli -l command<br />
C:\>cicscli -l<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994, 2002. All rights reserved.<br />
CCL8041I <strong>The</strong> <strong>CICS</strong> Client is using the following servers:<br />
CCL8043I Server 'SC62PJA1' (using 'TCP62' to 'US<strong>IBM</strong>SC.SCSCPJA1') is unavailable<br />
CCL8042I Server 'SCSCPJA1' (using 'TCPIP' to 'wtsc66oe.itso.ibm.com') is<br />
available<br />
CCL8044I Server 'SCSCPJA4' (using 'TCPIP' to 'wtsc66oe.itso.ibm.com') is<br />
connecting
1.1.2 <strong>Gateway</strong> daemon<br />
<strong>The</strong> <strong>Gateway</strong> daemon is a long-running process that functions as a server to<br />
network-attached Java client applications (such as applets or remote<br />
applications) by listening on a specified TCP/IP port. <strong>The</strong> <strong>CICS</strong> TG supports four<br />
different <strong>CICS</strong> TG network protocols (TCP, SSL, HTTP, or HTTPS), each of which<br />
requires a different <strong>CICS</strong> TG protocol handler to be configured to listen for<br />
requests (Figure 1-2).<br />
Java<br />
Client<br />
TCP or SSL<br />
HTTP or HTTPS<br />
<strong>Gateway</strong><br />
daemon<br />
Protocol<br />
handler<br />
Distributed platform<br />
<strong>CICS</strong> TG<br />
CTGJNI.dll<br />
JNI module<br />
Client<br />
daemon<br />
Figure 1-2 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>: distributed platform<br />
APPC<br />
or<br />
TCP62<br />
or<br />
TCP/IP<br />
z/OS or VSE<br />
<strong>CICS</strong><br />
Server<br />
<strong>The</strong> structure of the <strong>Gateway</strong> daemon is slightly different on z/OS and on<br />
distributed platforms. On distributed platforms (including Linux for S/390), the<br />
<strong>CICS</strong> TG provides equivalent functions to those provided by the <strong>CICS</strong> Universal<br />
Client. <strong>The</strong>re are three basic interfaces that are provided to Java client<br />
applications:<br />
External Call Interface (ECI) A call interface to COMMAREA-based<br />
<strong>CICS</strong> applications<br />
External Presentation Interface (EPI) An API to invoke 3270-based<br />
transactions<br />
External Security Interface (ESI) An API that allows password<br />
expiration management (PEM)<br />
functions to be invoked in <strong>CICS</strong>, in<br />
order to verify and change user IDs<br />
and passwords<br />
In <strong>V5</strong> of the <strong>CICS</strong> TG, there is now also a new type of protocol handler called<br />
TCPAdmin, which is part of the dynamic trace facility. This allows a Java client to<br />
connect to the <strong>CICS</strong> TG and dynamically control the <strong>CICS</strong> TG trace settings. For<br />
further details on how we used this, refer to “Dynamic trace (gateway)” on<br />
page 174.<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> 7
8 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
On z/OS, the External <strong>CICS</strong> Interface (EXCI) is used in place of the Client<br />
daemon, and provides access to COMMAREA-based <strong>CICS</strong> programs<br />
(Figure 1-3). Consequently, the EPI and ESI interfaces are not available with the<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS. <strong>The</strong>re are also a few differences between<br />
the ECI support on z/OS and the ECI support using distributed platforms.<br />
Java<br />
Client<br />
TCP or SSL<br />
HTTP or HTTPS<br />
<strong>Gateway</strong><br />
daemon<br />
Protocol<br />
handler<br />
Figure 1-3 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>: z/OS<br />
<strong>CICS</strong> TG<br />
libCTGJNI.so<br />
EXCI<br />
OS/390<br />
JNI module<br />
<strong>CICS</strong><br />
Server<br />
<strong>The</strong> primary differences in the ECI support offered when the <strong>CICS</strong> TG is running<br />
on z/OS are as follows:<br />
► When using asynchronous calls, specific reply solicitation calls are not<br />
supported.<br />
► <strong>The</strong> user ID and password flowed on ECI requests are verified within the<br />
<strong>CICS</strong> TG with RACF®; afterwards the verified user ID is then flowed onto<br />
<strong>CICS</strong>.<br />
► <strong>The</strong> ECIRequest method listSystems() does not return the list of usable<br />
servers, since any <strong>CICS</strong> region within the Parallel Sysplex® can be reached.<br />
MRO<br />
IRC<br />
Note: <strong>The</strong> <strong>Gateway</strong> daemon is not usually required when a Java<br />
application executes on the same machine as where the <strong>CICS</strong> TG is<br />
installed. In this situation, the <strong>CICS</strong> TG local: protocol can be used, which<br />
directly invokes the underlying transport mechanism using the Java Native<br />
Interface (JNI) module libCTGJNI.so.
1.1.3 Configuration Tool<br />
<strong>The</strong> Configuration Tool (ctgcfg) is a Java-based graphical user interface (GUI)<br />
supplied by the <strong>CICS</strong> TG on all platforms. It is used to configure the <strong>Gateway</strong><br />
daemon and Client daemon properties, which are stored in the CTG.INI file. In<br />
versions of the <strong>CICS</strong> TG prior to V3, the <strong>CICS</strong>CLI.INI and gateway.properties<br />
files were used to store the configuration parameters now stored in CTG.INI.<br />
Figure 1-4 illustrates the graphical user interface of the Configuration Tool.<br />
Figure 1-4 Configuration Tool<br />
<strong>The</strong> Configuration Tool displays three main types of resources as follows:<br />
► <strong>The</strong> different Java gateway protocol handlers (TCP, SSL, HTTP, HTTPS, and<br />
TCPAdmin). For details on how we configured the TCP, SSL and TCPAdmin<br />
protocol handlers, refer to the chapters in Part 3, “<strong>Gateway</strong> daemon<br />
scenarios”.<br />
► <strong>The</strong> Client daemon, and the configured server connection to defined <strong>CICS</strong><br />
regions. For details on how we configured TCP/IP, APPC and TCP62<br />
connections to our <strong>CICS</strong> regions, refer to the chapters in Part 2, “Configuring<br />
<strong>CICS</strong> connections”.<br />
► <strong>The</strong> Workload Manager and the Server Groups and Programs defined for<br />
workload balancing. For information on the <strong>CICS</strong> TG Workload Manager,<br />
refer to the redbook, Workload Management for Web Access to <strong>CICS</strong>,<br />
SG24-6118.<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> 9
1.1.4 Terminal Servlet<br />
10 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> Terminal Servlet is a supplied Java servlet that allows you to use a Web<br />
browser as an emulator for a 3270 <strong>CICS</strong> application. It dynamically converts<br />
3270 output into HTML for display on a Web browser, and is a non-programmatic<br />
solution for Web-enabling 3270 applications.<br />
<strong>The</strong> Terminal Servlet is similar in function to the <strong>CICS</strong>-supplied 3270 Web bridge,<br />
in that it provides a turn-key solution to Web-enabling 3270-based applications. It<br />
also has the ability to use the same HTML templates as the 3270 Web bridge to<br />
display the output of <strong>CICS</strong> BMS maps as HTML forms. In addition, it provides a<br />
basic terminal emulation capability, and the ability to use server-side includes to<br />
display information from a <strong>CICS</strong> screen. <strong>The</strong> HTML template interface offered by<br />
the Terminal Servlet is shown in Figure 1-5.<br />
Figure 1-5 <strong>CICS</strong> TG Terminal Servlet
1.2 <strong>CICS</strong> TG: Interfaces<br />
All the principal interfaces provided by the <strong>CICS</strong> TG fall into one of three<br />
categories, based on the function being invoked in <strong>CICS</strong>:<br />
► External Call Interface (ECI)<br />
► External Presentation Interface (EPI)<br />
► External Security Interface (ESI)<br />
For further details on programming with the <strong>CICS</strong> TG, refer to the redbook Java<br />
Connectors for <strong>CICS</strong>, SG24-6401.<br />
1.2.1 External Call Interface<br />
<strong>The</strong> ECI is used for calling COMMAREA-based <strong>CICS</strong> programs. <strong>The</strong><br />
COMMAREA is the buffer that is used for passing the data between the client<br />
and the <strong>CICS</strong> server. <strong>CICS</strong> sees the client request as just another distributed<br />
program link (DPL) request (Figure 1-6).<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong><br />
Figure 1-6 External Call Interface<br />
ECI<br />
LINK<br />
<strong>CICS</strong> region<br />
<strong>CICS</strong><br />
Application<br />
An ECI request can be made in Java using one of three different interfaces:<br />
► <strong>The</strong> ECIRequest class provided by the <strong>CICS</strong> TG base classes.<br />
This provides a simple procedural type interface to the ECI, and it is used for<br />
calling COMMAREA-based <strong>CICS</strong> applications.<br />
► <strong>The</strong> Common Connector Framework (CCF) classes.<br />
<strong>The</strong>se classes implement the CCF interfaces and programming model. <strong>The</strong><br />
CCF is comprised of three core components: the CCF classes, the Enterprise<br />
Access Builder, and the Java Record Framework.<br />
► <strong>The</strong> Common Client Interface (CCI) provided by the J2EE Connector<br />
Architecture.<br />
<strong>The</strong>se classes define a standard architecture for connecting the Java 2<br />
Platform Enterprise Edition (J2EE) platform to a heterogeneous EIS such as<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> 11
12 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>CICS</strong>. Java applications interact with resource adapters using the Common<br />
Client Interface (CCI), which is largely based on the CCF, but it is a standard<br />
that is open to the entire Java community.<br />
1.2.2 External Presentation Interface<br />
<strong>The</strong> EPI is used for invoking 3270-based transactions. A terminal is installed in<br />
<strong>CICS</strong>, and <strong>CICS</strong> sees the request as running on a remote terminal controlled by<br />
the <strong>CICS</strong> TG. For further details on programming with the EPI, refer to Chapter 7,<br />
“EPI support classes”, in the redbook Java Connectors for <strong>CICS</strong>, SG24-6401.<br />
<strong>CICS</strong><br />
<strong>Transaction</strong><br />
<strong>Gateway</strong><br />
EPI<br />
Figure 1-7 External Presentation Interface<br />
<strong>CICS</strong> region<br />
3270<br />
presentation<br />
logic<br />
<strong>CICS</strong><br />
Application<br />
An EPI request can be made in Java using one of five different interfaces:<br />
► <strong>The</strong> EPIRequest class provided by the <strong>CICS</strong> TG base classes.<br />
This class provides a Java interface to the EPI, and is used for invoking<br />
3270-based transactions. Due to its low-level nature, using it for developing<br />
EPI applications requires a strong knowledge of <strong>CICS</strong> and 3270 data<br />
streams.<br />
► <strong>The</strong> EPI support classes, which provide high-level constructs for handling<br />
3270 data streams.<br />
A wide range of classes is provided including AID, FieldData, Screen,<br />
Terminal, Map and MapData. <strong>The</strong>se are used to represent the interface to a<br />
<strong>CICS</strong> 3270 terminal, and the resulting 3270 response.<br />
► <strong>The</strong> EPI beans, which are based on the EPI support classes and JavaBean<br />
development environment.<br />
<strong>The</strong>y allow you to create EPI applications in a visual development<br />
environment, using one of the visual application builder tools, such as<br />
VisualAge® for Java.
► <strong>The</strong> Common Connector Framework (CCF) classes.<br />
<strong>The</strong>se classes implement the CCF interfaces and programming model. <strong>The</strong><br />
CCF is comprised of three core components: the CCF classes, the Enterprise<br />
Access Builder, and the Java Record Framework.<br />
► <strong>The</strong> Common Client Interface (CCI) provided by the J2EE Connector<br />
Architecture.<br />
<strong>The</strong>se classes define a standard architecture for connecting the Java 2<br />
Platform Enterprise Edition (J2EE) platform to a heterogeneous EIS such as<br />
<strong>CICS</strong>. Java applications interact with resource adapters using the Common<br />
Client Interface (CCI), which is largely based on the CCF, but it is a standard<br />
that is open to the entire Java community.<br />
1.2.3 External Security Interface<br />
<strong>The</strong> ESI is used for verifying and changing the user ID and password information<br />
held in the <strong>CICS</strong> external security manager (ESM), such as RACF. It is based on<br />
the <strong>CICS</strong> Password Expiration Management (PEM) function. For further details<br />
on programming with the ESI, refer to Chapter 4 “ECI and ESI applications”, in<br />
the redbook Java Connectors for <strong>CICS</strong>, SG24-6401.<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong><br />
ESI<br />
Figure 1-8 External Security Interface<br />
P<br />
E<br />
M<br />
<strong>CICS</strong> region<br />
EXEC <strong>CICS</strong> CHANGE<br />
PASSWORD<br />
or<br />
EXEC <strong>CICS</strong> VERIFY<br />
PASSWORD<br />
RACF<br />
ESI calls to <strong>CICS</strong> can only be made using the ESIRequest class provided by the<br />
<strong>CICS</strong> TG base classes. This class provides a Java interface to the ESI, and<br />
provides two simple PEM requester functions:<br />
Verify Password Allows a client application to verify that a password<br />
matches the password for a given user ID stored by the<br />
<strong>CICS</strong> ESM.<br />
Chapter 1. <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> 13
14 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Change Password Allows a client application to change the password held by<br />
the <strong>CICS</strong> ESM for a given user ID.<br />
<strong>The</strong>re is no other interface available for the ESI, although both the EPI and ESI<br />
allow user IDs and passwords to be flowed within the actual requests. In this<br />
case the user ID and password will be either authenticated within <strong>CICS</strong> if using a<br />
distributed <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, or within the <strong>CICS</strong> TG if using the <strong>CICS</strong><br />
TG for z/OS.
Part 2 Configuring<br />
<strong>CICS</strong><br />
connections<br />
Part 2<br />
In this section, we discuss how we configured the <strong>CICS</strong> TG Client daemon on<br />
Windows 2000 to connect to a <strong>CICS</strong> region using either the TCP/IP, APPC, or<br />
TCP62 protocols.<br />
For additional information on configuring the Client daemon or <strong>CICS</strong><br />
Universal Client, refer to the <strong>CICS</strong> Universal Client configuration pamphlets<br />
available at:<br />
http://www-3.ibm.com/software/ts/cics/library/manuals/index40.html<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 15
16 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 2. APPC connections to <strong>CICS</strong><br />
In this chapter, we describe how we configured an APPC connection on an SNA<br />
network from the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) <strong>V5</strong>.0 on Windows 2000<br />
to our <strong>CICS</strong> <strong>Transaction</strong> Server (<strong>CICS</strong> TS) V2.2 region. <strong>The</strong> following platforms<br />
and products are supported for APPC communication over an SNA network:<br />
► Windows operating systems<br />
– Any one of:<br />
<strong>IBM</strong> eNetwork Communications Server V6.0.1<br />
<strong>IBM</strong> eNetwork Personal Communications <strong>V5</strong>.01<br />
Microsoft SNA Server V4.0 + SP3<br />
► AIX<br />
– <strong>IBM</strong> eNetwork Communications Server <strong>V5</strong>.0.2 & V6.01<br />
Our configuration is illustrated in Figure 2-1 on page 18.<br />
2<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 17
2.1 Introduction to APPC<br />
18 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
If two systems are to communicate successfully, they must use a common set of<br />
rules that both understand. A communications protocol is a set of rules that<br />
defines, for example, a set of standard requests and responses, and the order in<br />
which they can be sent.<br />
LU TYPE 6.2 (LU 6.2) is a Systems Network Architecture (SNA) protocol that<br />
supports both system-to-system communication and system-to-device<br />
communication. LU 6.2 is also known as advanced program-to-program<br />
communications (APPC).<br />
<strong>CICS</strong> TG <strong>V5</strong>.0<br />
LU6.2<br />
LU6.2/SNA<br />
Figure 2-1 <strong>CICS</strong> client-server connections<br />
Communications<br />
Server<br />
VTAM<br />
z/OS<br />
APPC<br />
connection<br />
<strong>CICS</strong> TS V2.2<br />
region<br />
For all connected client systems, <strong>CICS</strong> requires both a CONNECTION and<br />
SESSIONS definition. <strong>The</strong> CONNECTION definition identifies the remote<br />
system, and one or more SESSIONS definitions are associated with this<br />
CONNECTION to define the properties of the sessions.
2.1.1 Software checklist<br />
We used the levels of software shown in Table 2-1.<br />
Table 2-1 Software levels, TCP62<br />
Client workstation z/OS<br />
Windows 2000 Service Pack 2 z/OS V1.2<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for WIndows <strong>V5</strong>.0 <strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
<strong>IBM</strong> Personal Communications <strong>V5</strong>.0<br />
<strong>IBM</strong> Java Development Kit V1.3.0<br />
2.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used in this scenario are summarized in Table 2-2. Before you<br />
configure the products, we recommend that you acquire definitions for each<br />
parameter listed. Reference keys shown in the Key column are assigned to<br />
definitions that must contain the same value in more than one product. <strong>The</strong><br />
Example column shows the value we used.<br />
Table 2-2 Definitions checklist for APPC<br />
Key VTAM® <strong>CICS</strong> TS<br />
region<br />
Personal<br />
Communications<br />
1 NETID First part of<br />
partner LU name<br />
<strong>CICS</strong> TG Example<br />
US<strong>IBM</strong>SC<br />
2 PU CP Alias SC02009<br />
3 LU NETNAME Local LU name Local LU name SC02009I<br />
4 XID (IDBLK +<br />
IDNUM)<br />
5 VTAM comms.<br />
controller MAC<br />
address<br />
Local Node ID 05D02009<br />
Destination<br />
address<br />
6 APPL APPLID Second part of<br />
partner LU name<br />
400022160011<br />
Partner LU name SCSCPJA1<br />
7 LOGMODE MODENAME Mode name APPCMODE<br />
8 SSCP Fully qualified CP<br />
name<br />
US<strong>IBM</strong>SC.SC38M<br />
Chapter 2. APPC connections to <strong>CICS</strong> 19
20 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> following are the values required in our configuration:<br />
► 1 NETID - US<strong>IBM</strong>SC<br />
<strong>The</strong> NETID is the VTAM SNA network name. It is defined for your VTAM<br />
network in the VTAM start options.<br />
► 2 PU — SC02009<br />
<strong>The</strong> PU SC02009 is the name of our workstations physical unit (PU). It is<br />
named in the VTAM switched major node as shown in 2.3.3, “VTAM switched<br />
major node” on page 27. We also used the same name for the workstation<br />
control point (CP).<br />
► 3 LU — SC02009I<br />
<strong>The</strong> LU SC02009I is the independent LU 6.2 used by the <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>. It must also be defined to VTAM in a switched major node.<br />
► 4 XID — 05D02009<br />
<strong>The</strong> XID (or node ID) is configured in the VTAM switched major node using<br />
IDBLK and IDNUM. It is used in the XID exchange to activate the link station.<br />
► 5 MAC Address — 400022160011<br />
This is the MAC address of the communications adapter used by the VTAM<br />
front-end processor. This might by a communications controller such as the<br />
3172, or a 2216 router, or an OSA adapter.<br />
► 6 APPL — SCSCPJA1<br />
This is the <strong>CICS</strong> APPLID and also the VTAM APPL. It is defined in the VTAM<br />
application major node (see 2.3.1, “VTAM application major node” on<br />
page 26) used by the <strong>CICS</strong> region.<br />
► 7 LOGMODE — APPCMODE<br />
This the mode group used to control LU 6.2 session properties. It must be<br />
defined in a VTAM logon mode table, which must be named on the VTAM<br />
APPL definition as shown in 2.3.2, “VTAM logon mode table” on page 27.<br />
► 8 SSCP — SC38M<br />
This the CP for the PU of the VTAM front-end processor. In VTAM, it is<br />
referred to as the SSCP.
2.2 APPC connections in <strong>CICS</strong><br />
To define APPC connections from <strong>CICS</strong>, you will need to:<br />
► Specify the SIT parameter: ISC=YES<br />
► Install CSD groups: DFHCLNT and DFHISC<br />
► Create and install CONNECTION and SESSIONS definition, or configure<br />
<strong>CICS</strong> connection autoinstall<br />
2.2.1 <strong>CICS</strong> CONNECTION definitions<br />
<strong>The</strong> connection definition defines the location of the remote system and the<br />
parameters of the connection to it. <strong>The</strong> connection we used for the logical unit<br />
(LU) is shown in Figure 2-2.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA DEFine CONnection( SC09 )<br />
CONnection : SC09<br />
Group : SC02009<br />
DEscription ==><br />
CONNECTION IDENTIFIERS<br />
Netname ==> SC02009I<br />
CONNECTION PROPERTIES<br />
ACcessmethod ==> Vtam Vtam | IRc | INdirect | Xm<br />
PRotocol ==> Appc Appc | Lu61 | Exci<br />
Conntype ==> Generic | Specific<br />
SInglesess ==> No No | Yes<br />
OPERATIONAL PROPERTIES<br />
AUtoconnect ==> Yes No | Yes | All<br />
INService ==> Yes Yes | No<br />
SECURITY<br />
SEcurityname ==><br />
ATtachsec ==> Local Local | Identify | Verify | Persistent<br />
Figure 2-2 <strong>CICS</strong> APPC CONNECTION definition<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
NETNAME Specifies the LU name of the partner LU 6.2. In our<br />
example this is (3) SC02009I, the LU used by our <strong>CICS</strong><br />
TG.<br />
ACCESSMETHOD For advanced program-to-program communication (APPC)<br />
connections to the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>,<br />
ACCESSMETHOD must be set to VTAM.<br />
PROTOCOL Must be specified as APPC.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 21
22 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
SINGLESESS Should be set to NO if using the <strong>CICS</strong> TG, since they<br />
require the use of LU 6.2 parallel sessions.<br />
AUTOCONNECT Specifies if <strong>CICS</strong> is to bind sessions (drive CNOS) when<br />
the connection is installed. We set this parameter to YES.<br />
ATTACHSEC Defines the settings for SNA LU 6.2 conversation level<br />
security. If you wish to flow a user ID and password from<br />
the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, this parameter should be<br />
set to VERIFY. If you do not wish to flow a user ID, this<br />
should be set to LOCAL. No other setting is valid for the<br />
<strong>CICS</strong> TG.<br />
2.2.2 <strong>CICS</strong> SESSIONS definitions<br />
For each <strong>CICS</strong> CONNECTION definition, you need to define one or more<br />
SESSIONS definitions to define the SNA mode groups to be used within that<br />
connection. Figure 2-3 illustrates the sessions definition we used to define the<br />
mode group APPCMODE for our APPC connection SC09 shown in Figure 2-3.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA DEFine Sessions( SC09 )<br />
Sessions : SC09<br />
Group : SC02009<br />
DEscription ==><br />
SESSION IDENTIFIERS<br />
Connection ==> SC09<br />
SESSName ==><br />
NETnameq ==><br />
MOdename ==> APPCMODE<br />
SESSION PROPERTIES<br />
Protocol ==> Appc Appc | Lu61 | Exci<br />
MAximum ==> 008 , 001 0-999<br />
RECEIVEPfx ==><br />
RECEIVECount ==> 1-999<br />
SENDPfx ==><br />
SENDCount ==> 1-999<br />
SENDSize ==> 04096 1-30720<br />
RECEIVESize ==> 04096 1-30720<br />
SESSPriority ==> 000 0-255<br />
OPERATIONAL PROPERTIES<br />
Autoconnect ==> Yes No | Yes | All<br />
Figure 2-3 <strong>CICS</strong> APPC SESSIONS definition<br />
SYSID=PJA1 APPLID=SCSCPJA1
CONNECTION Specifies the name of the associated CONNECTION<br />
definition.<br />
MODENAME Specifies the mode group as defined in a VTAM LOGMODE.<br />
<strong>The</strong> MODENAME must be unique among the SESSIONS<br />
definitions related to one CONNECTION definition. In our<br />
example it is (7) APPCMODE.<br />
PROTOCOL Must be specified as APPC.<br />
MAXIMUM Specifies the maximum number of sessions that are to be<br />
supported. <strong>The</strong> first value is the maximum number of<br />
sessions that can be supported. <strong>The</strong> second value specifies<br />
the number of contention-winner sessions (<strong>CICS</strong>-owned<br />
sessions). <strong>The</strong>se values are negotiated when the sessions<br />
are actually bound (during change number of sessions<br />
[CNOS] flows), the negotiated values will depend on the<br />
settings specified in the partner SNA node.<br />
When using the <strong>CICS</strong> TG, the number of sessions should be<br />
at least as big as the MAXREQUESTS parameter in the CTG.INI<br />
file to prevent this becoming a potential bottleneck to<br />
throughput. <strong>The</strong> number of contention-winner sessions<br />
should be set to 1 to ensure that START requests are<br />
shipped serially from the server to the client.<br />
AUTOCONNECT Determines if the sessions for this mode group will be bound<br />
when the connection is installed. YES specifies that the<br />
contention-winner sessions are to be bound, and ALL<br />
specifies that the both contention-winner and<br />
contention-loser sessions are to be bound.<br />
2.2.3 <strong>CICS</strong> connection autoinstall<br />
<strong>CICS</strong> connection autoinstall, like terminal autoinstall, allows CONNECTION and<br />
SESSIONS definitions to be dynamically created (and deleted) based on a<br />
sample template definition.<br />
Configuring connection autoinstall is a relatively simple exercise. First, update<br />
the default autoinstall program from DFHZATDX to DFHZATDY. This is achieved<br />
by specifying the SIT parameter AIEXIT=DFHZATDY. <strong>The</strong> new autoinstall<br />
program DFHZATDY has the same function as DFHZATDX, but supports<br />
autoinstall of connections as well as terminals. Alternatively, it is possible to write<br />
your own autoinstall user-replaceable module based on the samples provided.<br />
Autoinstall of connections is particularly useful when dealing with many similar<br />
connections, or when you are unsure of the LU names (netnames) to be used.<br />
This will be the case if you are using dynamic LUs with TCP62 connections from<br />
the <strong>CICS</strong> TG.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 23
24 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Like autoinstall for terminals, autoinstall for APPC connections requires model<br />
definitions. <strong>The</strong> supplied DFHZATDY autoinstall program uses the template<br />
CBPS. This is supplied in DFHAI62 group and must be copied to your own group<br />
and modified accordingly. Figure 2-4 and Figure 2-5 on page 25 illustrate the<br />
CBPS connection and session templates we used during this project.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter CONnection( CBPS )<br />
CONnection : CBPS<br />
Group : PJAAI62<br />
DEscription ==> APPC Autoinstall template for parallel session secondary<br />
CONNECTION IDENTIFIERS<br />
Netname ==> TMPLATE1<br />
INDsys ==><br />
CONNECTION PROPERTIES<br />
ACcessmethod ==> Vtam Vtam | IRc | INdirect | Xm<br />
PRotocol ==> Appc Appc | Lu61 | Exci<br />
SInglesess ==> No No | Yes<br />
OPERATIONAL PROPERTIES<br />
AUtoconnect ==> Yes No | Yes | All<br />
INService ==> Yes Yes | No<br />
SECURITY<br />
SEcurityname ==><br />
ATtachsec ==> Local Local | Identify | Verify | Persistent<br />
| Mixidpe<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
Figure 2-4 <strong>CICS</strong> autoinstall connection template<br />
<strong>The</strong> parameters in the CONNECTION definition template are essentially the<br />
same as when defining a static definition (2.2.1, “<strong>CICS</strong> CONNECTION<br />
definitions” on page 21), except that the NETNAME is not required.
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter Sessions( CBPS )<br />
Sessions : CBPS<br />
Group : PJAAI62<br />
DEscription ==> APPC Autoinstall template for parallel session secondary<br />
SESSION IDENTIFIERS<br />
Connection ==> CBPS<br />
SESSName ==><br />
NETname ==><br />
MOdename ==> APPCMODE<br />
SESSION PROPERTIES<br />
Protocol ==> Appc Appc | Lu61 | Exci<br />
MAximum ==> 008 , 001 0-999<br />
SENDSize ==> 04096 1-30720<br />
RECEIVESize ==> 04096 1-30720<br />
Figure 2-5 <strong>CICS</strong> autoinstall sessions template<br />
<strong>The</strong> parameters in the SESSIONS definition template should also be the same<br />
as when defining a static definition (see 2.2.2, “<strong>CICS</strong> SESSIONS definitions” on<br />
page 22), except that the CONNECTION parameter should refer to the CBPS<br />
CONNECTION definition.<br />
If you use the supplied connection autoinstall program (DFHZATDY), the<br />
connection name generated will be based on the last four characters of the<br />
NETNAME. If you need to change this, then you will have to create your own<br />
user-replaceable module from the sample provided in<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHSAMP.<br />
2.3 APPC connections and VTAM<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
<strong>CICS</strong> uses the services of VTAM for all SNA network connectivity to other LUs,<br />
including the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>. <strong>CICS</strong> itself acts as an LU 6.2 and<br />
requires a connection with parallel sessions to any connected <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>. To use LU 6.2 parallel sessions with <strong>CICS</strong>, you need to configure the<br />
following VTAM resources:<br />
► Application major node: This contains the <strong>CICS</strong> LU definition (or APPL).<br />
► Logon mode table: This contains the LOGMODE, which defines the<br />
characteristics of the LU 6.2 sessions to be used.<br />
► Switched major node: This contains details of the connected node, including<br />
the physical unit (PU) and associated partner LUs.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 25
26 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
If you are using an LU 6.2 over an IP connection (as provided by the TCP62<br />
protocol), you do not require a switched major node but instead will require a<br />
TCP major node, and possibly CDRSC definitions. For further details, refer to<br />
3.3, “VTAM definitions” on page 44.<br />
► Network name: <strong>The</strong> first parameter you should ascertain before you<br />
define any VTAM resource is the name of your VTAM network, which will<br />
most likely have already been defined by your VTAM systems programmer.<br />
This is defined in the NETID parameter in the VTAM start procedure; in our<br />
configuration, it was (1) US<strong>IBM</strong>SC.<br />
In the following sections, we detail how to configure each of these resources.<br />
2.3.1 VTAM application major node<br />
For a <strong>CICS</strong> system to be able to communicate with other SNA logical units using<br />
VTAM services, you must define <strong>CICS</strong> to ACF/VTAM. This is achieved by<br />
defining a VTAM application program (APPL) major node for each <strong>CICS</strong> region.<br />
<strong>The</strong>se are defined as APPL definition statements in a member of the<br />
SYS1.VTAMLST library. Example 2-1 shows the VTAM APPL definition for our<br />
<strong>CICS</strong> region (6)SCSCPJA1.<br />
Example 2-1 VTAM APPL definition<br />
VBUILD TYPE=APPL<br />
SCSCPJA1 APPL AUTH=(ACQ,VPACE,PASS),VPACING=0,EAS=5000,PARSESS=YES, X<br />
SONSCIP=YES,APPC=NO,MODETAB=MTAPPC<br />
AUTH Must be specified as ACQ to allow <strong>CICS</strong> to acquire sessions.<br />
VPACE is required to allow pacing of the LU 6.2 flows. PASS will<br />
allow existing terminal sessions to be passed to other <strong>CICS</strong><br />
region using the <strong>CICS</strong> command EXEC <strong>CICS</strong> ISSUE PASS.<br />
EAS Is the number of network addressable units (NAU) that this LU<br />
can establish sessions with, and can have a maximum value of<br />
5000. An NAU is either a logical unit, a physical unit, or a control<br />
point. This parameter therefore limits the maximum number of<br />
LU-LU sessions any one <strong>CICS</strong> region can have.<br />
PARSESS Must be specified as YES, since the <strong>CICS</strong> TG requires LU 6.2<br />
parallel sessions to be used.<br />
SONSCIP Specifies session outage notification support, which enables<br />
<strong>CICS</strong>, in some cases, to recover a failed system without requiring<br />
operator intervention.<br />
APPC Must be specified as NO.
MODETAB Is the name of the VTAM logon mode table that contains the<br />
customized user mode entries. You may omit this operand if you<br />
choose to add your MODEENT entries to the <strong>IBM</strong>-supplied logon<br />
mode table, ISTINCLM, or if you use only the predefined entries<br />
(such as #INTER) from this table.<br />
2.3.2 VTAM logon mode table<br />
<strong>CICS</strong> requires a VTAM logon mode table for every mode used in a <strong>CICS</strong><br />
SESSIONS definition. VTAM logon modes are defined in a LOGMODE.<br />
Figure 2-2 shows the logon mode table we used to define the mode (7)<br />
APPCMODE used for the LU 6.2 sessions to our <strong>CICS</strong> region SCSCPJA1.<br />
Example 2-2 VTAM LOGMODE, APPMODE<br />
* LOGMODE ENTRY FOR <strong>CICS</strong> LU 6.2 PARALLEL SESSIONS**<br />
POKMODE MODETAB<br />
APPCMODE MODEENT LOGMODE=APPCMODE,<br />
MODEEND<br />
END<br />
<strong>The</strong> session limits are not defined in this logmode table, since they are defined in<br />
the <strong>CICS</strong> CONNECTION definition (Figure 2-3 on page 22). You should also<br />
note that the SNASVCMG mode is supplied by VTAM for the management of LU<br />
6.2 parallel sessions, and should not be used for normal APPC traffic, including<br />
<strong>CICS</strong> flows.<br />
2.3.3 VTAM switched major node<br />
<strong>The</strong> VTAM switched major node defines both the link station to the remote PU<br />
and the LUs available within that PU. In VTAM all partner LU 6.2s must either be<br />
defined in VTAM, or defined dynamically (specify DYNLU=YES). However, if your<br />
VTAM network is a subarea network (that is, not in an Advanced Peer-to-Peer<br />
Networking [APPN] network) and does not use dynamic LUs, then you will need<br />
to define the partner LU 6.2s using a switched major node. Example 2-3<br />
illustrates the switched major node we used to define the SNA node (2) SC02009<br />
and the independent LU 6.2 (3) SC02009I. We also define here the XID (4) that is<br />
made of the IDBLK (05D) and IDNUM (02009).<br />
Example 2-3 VTAM PU, SC02009I<br />
SC02009 PU ADDR=01, +<br />
IDBLK=05D,IDNUM=02009, +<br />
ANS=CONT,DISCNT=NO, +<br />
IRETRY=NO,ISTATUS=ACTIVE, +<br />
MAXDATA=265,MAXOUT=7, +<br />
Chapter 2. APPC connections to <strong>CICS</strong> 27
28 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
MAXPATH=1,USSTAB=USSRDYN, +<br />
PUTYPE=2,SECNET=NO, +<br />
MODETAB=POKMODE,DLOGMOD=DYNTRN, +<br />
PACING=1,VPACING=2<br />
*<br />
SC02009I LU LOCADDR=0,DLOGMOD=APPCMODE<br />
2.4 Configuring <strong>IBM</strong> Personal Communications<br />
To configure <strong>IBM</strong> Personal Communications, we selected Start -> Programs -><br />
<strong>IBM</strong> Personal Communications -> SNA Node Configuration. <strong>The</strong> Node<br />
Configuration window is the main window and from here we chose the following:<br />
► Configure the Node and enter the following information:<br />
– Fully qualified CP name(1.2): US<strong>IBM</strong>SC.SC02009<br />
– CP alias (2): SC02009<br />
– Local Node ID(4):<br />
Block ID: 05D<br />
Physical Unit ID: 02009<br />
► Configure a LAN Device and enter the following information:<br />
– Accept the defaults<br />
► Configure the a LAN Connection and enter the following information:<br />
– Destination Address(5): 400022160011<br />
► Configure a Local LU 6.2 definition:<br />
– Local LU name and alias(3): SC02009I<br />
► Configure a Partner LU 6.2 definition as follows:<br />
– Partner LU name(1.6): US<strong>IBM</strong>SC.SCSCPJA1<br />
– Partner LU alias(6)): SCSCPJA1<br />
– Fully qualified CP name(8): US<strong>IBM</strong>SC.SC38M<br />
► Configure a Mode as follows:<br />
– Mode name(7): APPCMODE<br />
– PLU mode session limit: 8<br />
– Minimum contention winner sessions: 99<br />
– Advanced settings:<br />
Maximum negotiable session limit: 100<br />
Receive pacing window size: 8<br />
Class of service name: #CONNECT<br />
Use default RU size
► Configure a <strong>Transaction</strong> Program definition as follows:<br />
– TP name: CRSR<br />
– Complete path name: C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\bin\cclclnt.exe<br />
– Program parameters: CRSR<br />
– Conversation type: Mapped<br />
– Synchronization level: Any<br />
– Conversation Security: Not checked<br />
– Advanced settings:<br />
Receive_Allocate timeout: 0<br />
Incoming allocate timeout: 0<br />
TP instance limit: 1<br />
Make sure none of the boxes are checked<br />
<strong>The</strong> file was saved under the \private subdirectory with the name sc02009.acg.<br />
Configuration booklets, which document the required configuration for all the<br />
different <strong>CICS</strong> TG scenarios, can be found at the following Web site:<br />
http://www-3.ibm.com/software/ts/cics/library/manuals/ctg40dl.html<br />
2.5 APPC definitions for the <strong>CICS</strong> TG<br />
We used the <strong>CICS</strong> TG Configuration Tool to configure the connection to the<br />
<strong>CICS</strong> region. <strong>The</strong> Configuration Tool generates the CTG.INI file. <strong>The</strong> Client<br />
daemon uses the CTG.INI file to establish a connection to a <strong>CICS</strong> region.<br />
We defined the server connection to our <strong>CICS</strong> TS region as shown in Figure 2-6<br />
on page 30.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 29
30 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 2-6 Configuration Tool, APPC definitions<br />
<strong>The</strong> parameters that we used are as follows:<br />
► Server<br />
An arbitrary name for a particular <strong>CICS</strong> region (we used the value<br />
APPCPJA1) to distinguish this connection from our TCP62 and TCP/IP<br />
connections.<br />
► Description<br />
An arbitrary description for the <strong>CICS</strong> region.<br />
► Network Protocol<br />
<strong>The</strong> protocol for communication with the <strong>CICS</strong> region (in this case, SNA).<br />
► Partner LU name<br />
<strong>The</strong> LU name of the server as it is known to the SNA configuration (in our<br />
case, the fully qualified partner LU name of (1.6) US<strong>IBM</strong>SC.SCSCPJA1).<br />
► Local LU name<br />
<strong>The</strong> name of a local LU to be used when connecting to the server (in our<br />
case, the local LU name of (3) SC02009I).<br />
► Mode name<br />
<strong>The</strong> LU 6.2 mode name to be used when connecting to the server (in our<br />
case (7) APPCMODE).
Testing the configuration<br />
After we installed and configured the software components, we tested our<br />
configuration as follows:<br />
1. Checked the SNA Link Station from the workstation to VTAM was active, as<br />
follows:<br />
– Start the SNA Node Operation tool by clicking Start -> Programs -> <strong>IBM</strong><br />
Personal Communications -> Administrative and PD Aids -> SNA<br />
Node Operations.<br />
Figure 2-7 SNA Node Operations, Connection status<br />
– From the central drop-down list box, select Connections. Check that the<br />
state of the connection is Active. This indicates that the XID exchange<br />
between the workstation PU and the VTAM PU was successful.<br />
2. Started the <strong>CICS</strong> region SCSCPJA1.<br />
3. Installed the <strong>CICS</strong> CONNECTION and SESSIONS definitions (since we were<br />
not using connection autoinstall).<br />
4. Checked the state of the <strong>CICS</strong> connection using the command:<br />
CEMT I CONN<br />
5. <strong>The</strong> connection should show Acq, meaning LU 6.2 sessions are bound.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 31
32 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
I CONN<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Con(SC09) Net(SC02009I) Ins Acq Vta Appc<br />
Nqn(US<strong>IBM</strong>SC.SC02009I )<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 17.37.13 DATE: 07.22.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 2-8 <strong>CICS</strong> APPC connection definition<br />
6. Checked the state of the LU 6.2 sessions in the Personal Communications<br />
SNA Node Operations tool, as follows:<br />
– Start the SNA Node Operation tool using Start -> Programs -> <strong>IBM</strong><br />
Personal Communications -> Administrative and PD Aids -> SNA<br />
Node Operations.<br />
– From the central drop-down list box, select LU 6.2 Sessions (see<br />
Figure 2-9). Each active session will be individually listed. In our<br />
configuration we had one SNASVCMG session bound, and one<br />
APPCMODE session bound.<br />
Figure 2-9 SNA Node Operations, Connection status
7. Started the Client daemon connection to the <strong>CICS</strong> region using the<br />
command:<br />
<strong>CICS</strong>CLI /S=APPCPJA1<br />
APPCPJA1 is the server name specified in the Client configuration as shown<br />
in Figure 2-6 on page 30.<br />
8. Checked the status of the connection to the <strong>CICS</strong> region using the command:<br />
<strong>CICS</strong>CLI /L<br />
<strong>The</strong> connection status is available, as shown in Example 2-4.<br />
Example 2-4 Checking connection status<br />
C:\><strong>CICS</strong>CLI /L<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL8041I <strong>The</strong> <strong>CICS</strong> Client is using the following servers:<br />
CCL8042I Server 'APPCPJA1' (using 'SNA' to 'US<strong>IBM</strong>SC.SCSCPJA1') is available<br />
9. Issued the <strong>CICS</strong>TERM /S=APPCPJA1 command to install a client terminal on the<br />
<strong>CICS</strong> region.<br />
10.Ran the <strong>CICS</strong>-supplied transaction CEOT to display the name of our installed<br />
terminal in <strong>CICS</strong> (Figure 2-10).<br />
Figure 2-10 <strong>CICS</strong>TERM, CEOT<br />
Chapter 2. APPC connections to <strong>CICS</strong> 33
34 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Lastly, we checked the <strong>CICS</strong> region CSMT log to view the messages from the<br />
<strong>CICS</strong> connection autoinstall as shown in Example 2-5.<br />
Example 2-5 <strong>CICS</strong> log messages from the connection autoinstall<br />
DFHZC3461 I 07/22/2002 17:40:21 SCSCPJA1 -AAY CSNE Node SC02009I session started. ((1) Module<br />
name: DFHZOPX) NQNAME -AAY,CSNE,17:40:21,US<strong>IBM</strong>SC SC02009I<br />
DFHZC4900 I 07/22/2002 18:04:34 SCSCPJA1 -AAY CLS1 CNOS received from Node SCHPHIL9 System SC09<br />
Modename APPCMODE, Max = 8, Win=7, successful. ((1) Module name: DFHZGCN)<br />
DFHZC4901 I 07/22/2002 17:40:21 SCSCPJA1 -AAY CLS1 Node SC02009I System SC09 Modename APPCMODE,<br />
Negotiated values: Max=8, Win=7. ((1) Module name: DFHZGCN)<br />
DFHZC3461 I 07/22/2002 17:40:22 SCSCPJA1 -AA6 CSNE Node SC02009I session started. ((1) Module<br />
name: DFHZOPX) NQNAME -AA6,CSNE,17:40:22,US<strong>IBM</strong>SC SC02009I<br />
DFHZC5966 I 07/22/2002 17:48:27 SCSCPJA1 INSTALL started for TERMINAL ( \AAA) (Module name:<br />
DFHBSTZ).
2.6 Problem determination<br />
2.6.1 Tips and utilities<br />
In this section, we discuss the different tools available for performing problem<br />
resolution for LU 6.2 connections.<br />
<strong>The</strong> <strong>CICS</strong> transaction CEMT can be used to query the status of <strong>CICS</strong><br />
connections and sessions.<br />
To view the status of all APPC connections, issue the command:<br />
CEMT INQ CONN<br />
To view the status of LU 6.2 sessions, issue the command:<br />
CEMT INQ MOD CONN(SC09)<br />
This will provide the netname. <strong>The</strong>n use the following command to see the<br />
individual status of each session:<br />
CEMT INQ NETNAME(SC02009I)<br />
SNA sense codes<br />
We found the Personal Communications GetSense utility helpful for quickly<br />
looking up SNA sense code. To launch GetSense from Windows, click Start -><br />
Programs -> <strong>IBM</strong> Personal Communications -> Administrative and PD Aids<br />
and click Display SNA Sense Data. <strong>The</strong> GetSense window will appear, as<br />
shown in Figure 2-11.<br />
Figure 2-11 GetSense window<br />
SNA sense data can be entered in the Sense Data field and a detailed sense<br />
code description displayed by clicking Lookup.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 35
2.6.2 Tracing<br />
36 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In this section, we provide information on how to use the trace facilities provided<br />
with the Client daemon to debug a simple APPC communications problem.<br />
Client daemon<br />
<strong>The</strong> first place to look for error messages when using the <strong>CICS</strong> TG on the<br />
Windows system is the Client daemon log file. This is specified in the Client<br />
configuration parameters in the <strong>CICS</strong> TG Configuration Tool. We used the default<br />
name <strong>CICS</strong>CLI.LOG, which can be found in the <strong>CICS</strong> TG \bin subdirectory.<br />
<strong>The</strong> first step to useful tracing with the Client daemon is identifying which<br />
components should be traced. A full list is shown in Example 2-6 and can be<br />
viewed using the command <strong>CICS</strong>CLI /M. If in doubt, you should trace with the<br />
default selected components, as these have been selected to be sufficient to<br />
diagnose most problems. <strong>The</strong> default components have an X in front of them in<br />
the following example. To turn on all the parameters, you can use /M=ALL option.<br />
Example 2-6 <strong>CICS</strong> TG client trace options<br />
C:\>cicscli /m<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL1120I Trace has not been started<br />
CCL1100I <strong>The</strong> following list shows what components can be traced<br />
CCL1101I An 'X' indicates which components are enabled<br />
CCL1102I <strong>CICS</strong>CLI Command Process [CLI]<br />
CCL1103I Interprocess Communication [TRN]<br />
CCL1104I X Protocol Drivers (Level 1) [DRV.1]<br />
CCL1105I Protocol Drivers (Level 2) [DRV.2]<br />
CCL1106I X API (Level 1) [API.1]<br />
CCL1107I API (Level 2) [API.2]<br />
CCL1108I X Client Daemon [CCL]<br />
CCL1109I Terminal Emulators [EMU]<br />
CCL1111I C++ Class Libraries [CPP]<br />
CCL1112I Workload Manager [LMG]<br />
CCL1113I <strong>CICS</strong> Client Service for NT [SER]<br />
Trace is written to a binary file called, by default, <strong>CICS</strong>CLI.BIN. To read the trace,<br />
you must format the binary file into a text file by using the <strong>CICS</strong>FTRC /D<br />
command. This will produce a viewable file called <strong>CICS</strong>CLI.TRC. Both<br />
<strong>CICS</strong>CLI.BIN and <strong>CICS</strong>CLI.TRC are found, by default, in the \BIN subdirectory.<br />
<strong>The</strong> <strong>CICS</strong> TG Client daemon trace is started with the <strong>CICS</strong>CLI /D command. If<br />
you need to trace the client from startup, you can specify all the parameters<br />
needed together on the command line, such as:
<strong>CICS</strong>CLI /S=SCSCPJA1 /D=9999 /M=ALL<br />
For more information on Client daemon tracing, wrapping trace, and formatting<br />
options, refer to <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Windows Client Administration,<br />
SC34-5940.<br />
<strong>IBM</strong> Personal Communications<br />
If you suspect there is an SNA communication problem in your configuration,<br />
then using <strong>IBM</strong> Personal Communications Trace Facility can provide useful<br />
diagnostic information. <strong>The</strong> most useful type of SNA trace is likely to be the<br />
data-link control (DLC) level tracing (or in SNA terms, link station tracing), which<br />
will show you the binds, bind responses, attaches (FMH-5), and attach errors<br />
(FMH-7).<br />
To start the trace utility, click Start -> Programs -> <strong>IBM</strong> Personal<br />
Communications -> Administrative and PD Aids -> Trace Facility. This will<br />
display the Trace Facility as shown in Figure 2-12.<br />
Figure 2-12 Personal Communications Trace Facility<br />
If you have a LAN connection and wish to activate DLC tracing, select<br />
Connectivity in the left pane, then LAN (LLC2) in the middle pane, then All<br />
frames trace in the right pane. To activate the trace, click Start, run the desired<br />
operation, and then click Stop. To save the trace to a file, click Save and you will<br />
be prompted for a file name and whether or not to append or replace the trace<br />
file. By default, an unformatted trace file will be saved as NSTRC.TRC. <strong>The</strong>n to<br />
format the trace file, click Format, and the formatted file NSTRC.TLG will be<br />
produced. This formatted trace file can then be viewed using the Personal<br />
Communications Log viewer utility by double-clicking the file.<br />
Chapter 2. APPC connections to <strong>CICS</strong> 37
38 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Interpretation of these traces is beyond the scope of this book. For further details<br />
you should reference Systems Network Architecture Formats, GA27-3136-19.<br />
However, although SNA traces can be complicated to fully understand, they can<br />
also be useful to an inexperienced user, by revealing the actual LU name, partner<br />
LU name, mode name, and other parameters that actually were used. In addition,<br />
a simple inspection can often reveal the data contained with the request unit<br />
(RU), which will equate to the <strong>CICS</strong> COMMAREA or 3270 data stream sent to or<br />
returned from a <strong>CICS</strong> program or transaction.
3<br />
Chapter 3. TCP62 connections to <strong>CICS</strong><br />
In this chapter, we describe how we configured a TCP62 connection from the<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) <strong>V5</strong> on Windows 2000 to our <strong>CICS</strong><br />
<strong>Transaction</strong> Server (<strong>CICS</strong> TS) V2.2 region. We show only Windows 2000, but<br />
these steps can be used to configure all the platforms except z/OS, since there<br />
are no major differences. Our configuration is illustrated in Figure 3-2 on<br />
page 41.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 39
3.1 Introduction to TCP62<br />
40 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In the <strong>CICS</strong> TG <strong>V5</strong> the TCP62 protocol is now supported on all platforms, except<br />
for z/OS. It is integrated with the base product and it is not a separately<br />
installable feature. Configurations and definitions used with the previous (<strong>CICS</strong><br />
TG V3) implementation will work with the new implementation transparently.<br />
TCP62 is a communications mechanism that provides the ability to connect from<br />
the <strong>CICS</strong> TG to a <strong>CICS</strong> TS region over an IP network. It utilizes the function of<br />
<strong>IBM</strong>’s Multiprotocol Transport Networking (MPTN) protocol switching technology<br />
to send LU 6.2 (APPC) Systems Network Architecture (SNA) flows over an IP<br />
network. Figure 3-1 on page 45 illustrates how APPC, SNA, and LU 6.2/IP work<br />
together at the protocol level.<br />
LU6.2/SNA<br />
SNA LU6.2<br />
SNA PU2.1<br />
Figure 3-1 TCP62 and SNA protocols<br />
TCP62<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
APPC<br />
IEEE 802.2 Logical Link Control<br />
IEEE 802 Medium<br />
Access Control<br />
LAN<br />
UDP / TCP<br />
<strong>The</strong> TCP62 SNA node on the <strong>CICS</strong> TG machine is dynamically configured using<br />
parameters from the configuration file (CTG.INI). <strong>The</strong>refore no SNA configuration<br />
is necessary on the Windows client. On z/OS it is necessary to configure both an<br />
APPC connection in <strong>CICS</strong> and the required AnyNet® definitions for VTAM.<br />
LU6.2/IP<br />
IP
Static LU names<br />
We simplified our configuration by using static definitions. With this method the<br />
LU names are pre-set and not generated dynamically. This is useful if you only<br />
have a few Client workstations or in situations where you might want to match the<br />
LU name (NETNAME) with a specific connection in <strong>CICS</strong>, for security, audit, or<br />
other reasons.<br />
Dynamic LU name generation<br />
It is also possible to use dynamic LU name generation with TCP62 connections.<br />
This reduces the amount of configuration required and has the added benefit of<br />
allowing the same CTG.INI configuration file to be used on all the workstations in<br />
your TCP/IP subnet. For more details refer to “TCP62 dynamic LU names” on<br />
page 48.<br />
In Figure 3-2, we illustrate an overview of our TCP62 environment that shows<br />
how we configured in this chapter.<br />
Windows 2000<br />
<strong>CICS</strong> TG<br />
TCP62<br />
TCP/IP<br />
Figure 3-2 <strong>CICS</strong> TG TCP62 configuration<br />
IP network<br />
LU6.2/IP<br />
z/OS<br />
<strong>CICS</strong> TS<br />
(SCSCPJA1)<br />
VTAM<br />
AnyNet<br />
TCP/IP<br />
volga.almaden.ibm.com wtsc66.itso.ibm.com<br />
9.1.38.39<br />
9.12.6.6<br />
Tip: We also found it was possible to move the CTG.INI file to the AIX platform<br />
without making any modifications, and use our TCP62 configuration to<br />
connect our <strong>CICS</strong> TG for AIX to <strong>CICS</strong>. However, on some platforms the<br />
protocol drivers have different names (for more information see 9.3, “Testing<br />
the configuration” on page 224). To avoid this, the ctgcfg command can be<br />
run with the -plat option, specifying the particular platform required. <strong>The</strong> list<br />
of possible platforms can be queried using the command ctgcfg -?.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 41
3.1.1 Software checklist<br />
42 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We used the levels of software shown in Table 3-1.<br />
Table 3-1 Software levels, TCP62<br />
Client workstation z/OS<br />
Windows 2000 Service Pack 2 z/OS V1.2<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for WIndows <strong>V5</strong>.0 <strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
<strong>IBM</strong> Java Development Kit V1.3.0<br />
3.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used to configure this scenario are summarized in Table 3-2.<br />
Before you configure the products, we recommend that you decide on definitions<br />
for each parameter listed. Reference keys shown in the Key column are assigned<br />
to definitions that should contain the same value in more than one product. <strong>The</strong><br />
Example column shows the values we used in our configuration.<br />
Table 3-2 Definitions checklist for TCP62<br />
Key z/OS Comms.<br />
Server (VTAM<br />
and TCP/IP)<br />
<strong>CICS</strong> TS region <strong>CICS</strong> TG (TCP62) Example<br />
1 IP address 9.12.6.6<br />
2 DNSUFX AnyNet domain name<br />
suffix<br />
3 PORT 397 397<br />
itso.ibm.com<br />
4 NETID Partner LU name US<strong>IBM</strong>SC<br />
5 APPL APPLID Partner LU name SCSCPJA1<br />
6 LOGMODE MODENAME Mode name APPCMODE<br />
IP address mask for LU<br />
name template<br />
Fully qualified control point<br />
name<br />
00000000<br />
US<strong>IBM</strong>SC.CCLI62CP<br />
NETNAME Local LU name CCLI62LU
3.2 APPC connections in <strong>CICS</strong><br />
From a <strong>CICS</strong> perspective, the TCP62 client is just another LU 6.2 independent<br />
LU. Thus, you will need to configure ISC support in <strong>CICS</strong>, and if you use dynamic<br />
LUs, you will need to configure autoinstall of <strong>CICS</strong> connections, since it will not<br />
be possible to predict the LU name of the client LU.<br />
<strong>The</strong> VTAM APPLID 5 of our <strong>CICS</strong> region was defined as SCSCPJA1. This is<br />
combined with the VTAM NETID 4 of US<strong>IBM</strong>SC to make a fully qualified partner<br />
LU name of US<strong>IBM</strong>SC.SCSCPJA1.<br />
We also performed the following configuration in our <strong>CICS</strong> region, depending on<br />
whether we were using autoinstalled connections of static connections.<br />
Static connections<br />
We did the following with our static connections:<br />
► Configured the following SIT parameters:<br />
– ISC=YES<br />
– APPLID=SCSCPJA1<br />
► Installed groups: DFHISC and DFHCLNT<br />
► Defined and installed <strong>CICS</strong> CONNECTION and SESSIONS definitions.<br />
For more details refer to 2.2, “APPC connections in <strong>CICS</strong>” on page 21.<br />
Autoinstalled connections<br />
We did the following with our autoinstalled connections:<br />
► Configured the following SIT parameters:<br />
– ISC=YES<br />
– APPLID=SCSCPJA1<br />
– AIEXIT=DFHZATDY<br />
► Installed groups: DFHISC and DFHCLNT<br />
► Enabled <strong>CICS</strong> APPC CONNECTION autoinstall for parallel sessions<br />
For more details on configuring autoinstalled APPC connections in <strong>CICS</strong>, refer to<br />
2.2.3, “<strong>CICS</strong> connection autoinstall” on page 23.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 43
3.3 VTAM definitions<br />
44 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In this section, we present the TCP/IP, VTAM and VTAM AnyNet definitions we<br />
used on our z/OS system.<br />
Basic VTAM definitions<br />
TCP62 requires <strong>CICS</strong> and VTAM to be correctly configured to accept LU 6.2<br />
parallel sessions. In our VTAM network, our network was already configured as<br />
US<strong>IBM</strong>SC (using NETID=US<strong>IBM</strong>SC in the VTAM startup options). We also<br />
configured a VTAM LOGMODE for the APPCMODE mode group and specified<br />
PARSESS=YES on our VTAM APPL definition. For further details on defining<br />
VTAM definitions, refer to 2.3, “APPC connections and VTAM” on page 25.<br />
TCP/IP<br />
<strong>The</strong> TCP/IP address (1) and host name for the z/OS system are defined by<br />
default in the PROFILE.TCPIP and TCPIP.DATA data sets. In our configuration<br />
the data set was TCPIPMVS.SC66.TCPPARMS and it has members TCPPROF<br />
and TCPDATA. <strong>The</strong> best way to find these data sets is to look from SDSF DA for<br />
active started tasks or from your PROCLIB. <strong>The</strong>se members have a lot of<br />
information but we are only interested with the TCPIPJOBNAME, HOSTNAME,<br />
DOMAINNAMEORIGIN and HOME parameters. <strong>The</strong> first three can be found<br />
from the TCPDATA member, and the HOME parameter is found in the TCPPROF<br />
member. In our configuration:<br />
TCPIPJOBNAME TCPIPMVS is the TCP/IP started task name<br />
HOSTNAME wtsc66 is the host name of our z/OS system<br />
DOMAINNAMEORIGIN itso.ibm.com is the domain name<br />
HOME 9.12.6.6 is the TCP/IP address<br />
Tip: You can also use the TSO command HOMETEST to verify the IP<br />
configuration on your z/OS system.<br />
TCP/IP major node<br />
<strong>The</strong> VTAM TCP/IP major node defines the AnyNet interface between TCP/IP and<br />
VTAM. You need only one TCP/IP major node for each LPAR. If you do not know<br />
your TCP/IP major node name, you can see if it is defined using the VTAM<br />
command D NET,MAJNODE. On our system, this displayed the following entry:<br />
IST089I APTCP01 TYPE = TCP/IP MAJOR NODE, ACTIV<br />
Our TCP/IP major node definition is shown in Example 3-1 on page 45. <strong>The</strong><br />
important parameters are the port and possibly the TCP/IP job name<br />
(TCPIPJOB), if you are using multiple TCP/IP stacks.
Example 3-1 Content of ESA.SYS1.VTAMLST(APTCP01)<br />
APTCP01 VBUILD TYPE=TCP,<br />
CONTIMER=25,<br />
DGTIMER=40,<br />
DNSUFX=ITSO.<strong>IBM</strong>.COM,<br />
EXTIMER=5,<br />
IATIMER=60,<br />
PORT=397,<br />
TCB=10,<br />
TCPIPJOB=TCPIPMVS<br />
TCP01GRP GROUP ISTATUS=ACTIVE<br />
TCP01LNE LINE ISTATUS=ACTIVE<br />
TCP01PU PU ISTATUS=ACTIVE<br />
Tip: <strong>The</strong> DNSUFX is the domain name suffix used by VTAM when sending<br />
outbound allocates. This does not need to match the AnyNet domain name<br />
suffix used in the <strong>CICS</strong> TG Configuration Tool (Figure 3-4 on page 47), but we<br />
set it to the same value for simplicity. In practice, we found this value is only<br />
required by VTAM if the <strong>CICS</strong> region is initiating binds (starting the<br />
connection), which is not the case with a TCP62 configuration.<br />
Dynamic LU name generation<br />
We also configured dynamic creation of partner LUs in VTAM. This simplifies the<br />
administration required in VTAM. To enable dynamic LUs, we specified<br />
DYNLU=YES as a startup option for VTAM. A CDRSC definition is in effect a<br />
partner LU 6.2 definition in VTAM for the LU on the workstation. Using dynamic<br />
LUs meant that VTAM would create these definitions as required.<br />
Tip: If you do not have DYNLU=YES as a startup option for VTAM, then you<br />
will have to statically define cross-domain resource (CDRSC) definitions to<br />
VTAM for all your <strong>CICS</strong> TG TCP62 LUs. This also means you cannot use the<br />
dynamic LU name generation function in the <strong>CICS</strong> TG, since you will be<br />
unable to know the names of your LUs in VTAM. In our example the following<br />
definitions would suffice:<br />
APTCP0C VBUILD TYPE=CDRSC<br />
CCLI62LU CDRSC ALSLIST=TCP01PU<br />
For further details on configuring CDRSC definitions for LU 6.2, refer to<br />
AnyNet SNA over TCP/IP, SC31-8578.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 45
3.4 TCP62 definitions for the <strong>CICS</strong> TG<br />
46 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We used the <strong>CICS</strong> TG Configuration Tool to define the settings for TCP62<br />
communication. <strong>The</strong> Configuration Tool generates the CTG.INI file, which is<br />
located in the \bin subdirectory. This file is read by the <strong>CICS</strong> TG when started<br />
and used to establish a connection to a <strong>CICS</strong> Server. We defined the following<br />
parameters as shown in Figure 3-3.<br />
Figure 3-3 TCP62 settings in Configuration Tool<br />
► Server name<br />
An arbitrary name for your <strong>CICS</strong> server connection. We specified the name<br />
SC62PJA1.<br />
► Description<br />
An arbitrary description for the <strong>CICS</strong> server.<br />
► Network protocol<br />
<strong>The</strong> protocol for communication with the <strong>CICS</strong> server (in our example,<br />
TCP62).
► Partner LU name 4.5<br />
<strong>The</strong> fully qualified LU name of the <strong>CICS</strong> region as it is known in VTAM. This is<br />
the APPL ID of the <strong>CICS</strong> region preceded by the SNA network name (in our<br />
example, US<strong>IBM</strong>SC.SCSCPJA1).<br />
► Mode name 6<br />
<strong>The</strong> SNA mode name to be used when connecting to the <strong>CICS</strong> region (in our<br />
example, APPCMODE). This must match the mode name in the <strong>CICS</strong><br />
SESSIONS definition. If you are using <strong>CICS</strong> connection autoinstall, this is<br />
must also be specified in the <strong>CICS</strong> SESSIONS autoinstall template (CBPS).<br />
► Local LU name or template<br />
<strong>The</strong> name of the local LU to be used when connecting to the <strong>CICS</strong> region.<br />
Because we were using static LU names, we specified CCLI62LU.<br />
► IP address mask for LU name template<br />
This is the IP address mask used by the <strong>CICS</strong> TG to dynamically create LU<br />
names when using templates; this must be a 32-bit hexadecimal value. Only<br />
set this if you are using <strong>CICS</strong> TG dynamic LU name generation. Since we<br />
were using static names, we let this default to 00000000.<br />
Our settings for the Common TCP62 settings tab are shown in Figure 3-4 and<br />
explained in the following text.<br />
Figure 3-4 Common TCP62 settings in the Configuration Tool<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 47
48 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► Fully qualified CP name or template<br />
<strong>The</strong> fully qualified control point (CP) name for the TCP62 SNA node, or a<br />
template. We defined this as US<strong>IBM</strong>SC.CCLI62CP.<br />
► IP address mask for CP name<br />
An IP address mask for dynamic generation of CP names. We let this default<br />
to zeros (00000000), since we did not use this parameter.<br />
► TCP62 Port 3<br />
This is the TCP/IP port used by VTAM to listen for MPTN packets. We<br />
specified 397, which is the default AnyNet port, which we also specified in the<br />
PORT statement in our VTAM TCP major node (Figure 3-1 on page 45).<br />
On some UNIX platforms (such as Solaris) if you run the Client daemon as a<br />
non-root process you will be unable to use port 397 and will need to specify a<br />
non-restricted port number.<br />
TCP62 dynamic LU names<br />
<strong>The</strong> TCP62 hashing algorithm provides a means of dynamically generating<br />
unique LU62 names for the <strong>CICS</strong> TG based on the local IP address. This<br />
provides the benefit that you don’t have to administer LU name allocation, and<br />
the same CTG.INI file can be used on all your workstations.<br />
To support dynamic LU name generation, you must also have configured the<br />
following features of VTAM and <strong>CICS</strong>:<br />
► VTAM dynamic partner LUs (DYNLU=YES)<br />
► <strong>CICS</strong> APPC CONNECTION autoinstall<br />
As well as using static LU names, we also tested our connection to <strong>CICS</strong> using<br />
dynamic LU names. To enable this feature, you should set the following<br />
parameters in the <strong>CICS</strong> TG Configuration Tool TCP62 settings (see Figure 3-3<br />
on page 46).<br />
► IP address mask for LU name template<br />
► Local LU template<br />
Tip: Contrary to the <strong>CICS</strong> TG documentation, we found that we did not need<br />
to configure the CP name template or IP address mask when using dynamic<br />
LU names. This is because in SNA networking terminology, the AnyNet LU<br />
6.2/IP connection (link station) from the <strong>CICS</strong> TG to VTAM is a low-entry node<br />
(LEN) link. <strong>The</strong>refore, the CP name is only used locally (on the <strong>CICS</strong> TG<br />
machine), so it does not need to be defined to VTAM and does not need to be<br />
unique in the network.
<strong>The</strong> IP address mask should be set to the hexadecimal version of your IP subnet<br />
mask. This will ensure that the LU name generated is unique within your local IP<br />
subnet. We used FFFFFE00, the hexadecimal value of our TCP/IP subnet mask<br />
255.255.254.0. To determine your IP address and TCP/IP subnet mask, you can<br />
use the Windows ipconfig /all command as shown in Example 3-2.<br />
Example 3-2 ipconfig utility<br />
C:> ipconfig /all<br />
Windows 2000 IP Configuration<br />
Host Name . . . . . . . . . . . . : volga<br />
Primary DNS Suffix . . . . . . . : almaden.ibm.com<br />
Node Type . . . . . . . . . . . . : Hybrid<br />
IP Routing Enabled. . . . . . . . : No<br />
WINS Proxy Enabled. . . . . . . . : No<br />
DNS Suffix Search List. . . . . . : itso.ibm.com<br />
almaden.ibm.com<br />
Ethernet adapter Local Area Connection 3:<br />
Connection-specific DNS Suffix . :<br />
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Desktop Connection<br />
Physical Address. . . . . . . . . : 00-02-55-4A-7A-67<br />
DHCP Enabled. . . . . . . . . . . : No<br />
IP Address. . . . . . . . . . . . : 9.1.38.39<br />
Subnet Mask . . . . . . . . . . . : 255.255.254.0<br />
Default <strong>Gateway</strong> . . . . . . . . . : 9.1.38.1<br />
DNS Servers . . . . . . . . . . . : 9.1.8.254<br />
9.14.1.30<br />
IP subnets: <strong>The</strong> subnet is the mask that is applied to an IP address to<br />
determine which bits in an IP address are to be used for local addresses (that<br />
is, addresses on the local subnet) and which bits are to be used for the<br />
network address (that is, on the Internet). Thus, with our subnet mask of<br />
255.255.254.0 (or in binary 11111111.11111111.11111110.00000000) we<br />
have 8 bits free in the fourth byte (0) and 1 bit free in the third byte (254),<br />
giving a total of 9 free bits. This means that we have 2 9 or 512 unique network<br />
addresses available in the subnet.<br />
For each substitution character the TCP62 hashing algorithm uses 5 bits from<br />
the IP address. <strong>The</strong> <strong>CICS</strong> connection autoinstall program (DFHZATDY) uses the<br />
last four characters of the LU name to generate the connection name, which has<br />
to be unique within the <strong>CICS</strong> region. <strong>The</strong>refore, if you wish to ensure that the<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 49
50 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
dynamically generated TCP62 LU names and the <strong>CICS</strong> connections names are<br />
unique, you should obey the following rules:<br />
► Set the TCP62 IP address mask to be equal to the TCP/IP subnet mask.<br />
► Set the TCP62 LU name template to have four or less trailing * characters.<br />
► Ensure you use enough substitution characters (*) to accommodate all the<br />
unique IP addresses in your subnet as shown in Table 3-3.<br />
Generating unique LU names: <strong>The</strong>re are 32 different values that the<br />
algorithm can use for each substitution character. Generating 32 different<br />
values requires 5 unique bits (2 5 =32). This means that up to 5 bits are used<br />
for each substitution character, starting from the right. Based upon this fact,<br />
Table 3-3 helps you determine the minimum number of substitution characters<br />
to use in your template name to guarantee generated LU names will be unique<br />
within your subnet.<br />
In our example, we have a subnet mask of 255.255.254.0, which has 9 bits<br />
free for local network addresses, and therefore a possible 2 9 (512) unique IP<br />
address in the subnet. We used two substitution characters that can<br />
accommodate up to 2 10 combinations (1024), which is more than enough to<br />
cover the 512 unique IP addresses in our subnet.<br />
Table 3-3 Values required to generate unique LU names<br />
Number of free bits in<br />
the IP address mask<br />
Number of substitution<br />
characters you should<br />
allow<br />
In our example we used the following values.<br />
LU name template CCLIEE**<br />
IP address 9.1.38.39<br />
IP subnet mask FFFFFE00<br />
Number of bits for local addresses 9<br />
Maximum number of<br />
unique names this gives<br />
you<br />
16-20 4 (XXXX****) 2 20 = 1,048,576<br />
11-15 3 (XXXXX***) 2 15 = 32,768<br />
6-10 2 (XXXXXX**) 2 10 = 1024<br />
1-5 1 (XXXXXXX*) 2 5 = 32<br />
Using these values, the TCP62 algorithm created a local LU name of CCLIEE17<br />
and the <strong>CICS</strong> connection autoinstall program, DFHZATDY, created a connection<br />
called EE17. We can be sure that this name is unique for all 512 different network<br />
addresses in our TCP/IP subnet.
Note: Although using this technique ensures our LU names will be unique<br />
within the subnet, it is possible that two machines from different subnets will<br />
connect to the same <strong>CICS</strong> region, causing a potential name clash. In this<br />
case, we suggest that you ensure that you only use three (or less) substitution<br />
characters and that the fifth characters in the LU name template is different for<br />
each subnet.<br />
To help you in determining what a given TCP62 LU name will be for different<br />
inputs, we developed a sample utility, tcp62locallu.exe, that takes a given IP<br />
address, subnet mask, and LU name template, and generates the LU name that<br />
TCP62 will use. This use of this utility is illustrated in Figure 3-3 and it is provided<br />
with the additional material for this book.<br />
Example 3-3 tcp62locallu utility<br />
C:> tcp62locallu.exe CCLIE*** FFFFFE00 9.1.38.39<br />
Local LU template: CCLIE***<br />
Address mask : FFFFFE00<br />
IP address : 9.1.38.39<br />
Local LU is CCLIEE17<br />
Configuring TCP/IP host names<br />
Since TCP62 flows SNA LU 6.2 packets over TCP/IP, you need to define a<br />
mapping of the SNA partner LU name to an IP address. Our partner LU is our<br />
<strong>CICS</strong> region, with a fully qualified LU name of US<strong>IBM</strong>SC.SCSCPJA1. This needs<br />
to be mapped to the IP address of our z/OS system wtsc66, which is 9.12.6.6.<br />
<strong>The</strong> function in TCP62 achieves this by generating a host name from the<br />
concatenation of the following elements separated by periods:<br />
LU name (5) + network name of the LU (4) + domain name suffix (2)<br />
We defined a mapping of this host name to the IP address of our z/OS system<br />
using the TCP/IP hosts file (C:\WINNT\system32\drivers\etc\hosts) on our<br />
Windows 2000 workstation. <strong>The</strong> following is the line we added to our hosts file.<br />
9.12.6.6 SCSCPJA1.US<strong>IBM</strong>SC.ITSO.<strong>IBM</strong>.COM<br />
If you wish to use the same CTG.INI configuration file across multiple client<br />
workstations, you will also need to provide a means of resolving the TCP62 host<br />
name to the correct z/OS IP address on all workstations. Instead of just using the<br />
TCP/IP hosts file, it is possible to add an entry to the Domain Name System<br />
(DNS) server used by the workstations.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 51
52 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
However, if you do use a DNS entry to resolve the TCP62 host name, you will<br />
most likely need to create a new subdomain since the SNA network name<br />
(US<strong>IBM</strong>SC) is prefixed onto the domain name suffix to form a new domain<br />
(US<strong>IBM</strong>SC.ITSO.<strong>IBM</strong>.COM) in which the LU name (SCSCPJA1) is located.<br />
Tip: If you are using the hosts file to resolve the z/OS host name, there is no<br />
reason why the domain name suffix should match the TCP/IP network name<br />
(itso.ibm.com). However, we used this to simplify our configuration.<br />
Testing the configuration<br />
After we installed and configured the software components, we tested our<br />
configuration as follows:<br />
1. Pinged the TCP/IP connection to the z/OS system using our AnyNet host<br />
name SCSCPJA1.US<strong>IBM</strong>SC.ITSO.<strong>IBM</strong>.COM as shown in Example 3-4.<br />
Example 3-4 Ping to check host name<br />
C:\>ping SCSCPJA1.US<strong>IBM</strong>SC.ITSO.<strong>IBM</strong>.COM<br />
Pinging SCSCPJA1.US<strong>IBM</strong>SC.ITSO.<strong>IBM</strong>.COM [9.12.6.6] with 32 bytes of data:<br />
Reply from 9.12.6.6: bytes=32 time=110ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
2. Checked that the port number 397 is listening at our host.<br />
We used a shareware product called ScanPort to scan the ports in use on our<br />
z/OS system. <strong>The</strong> output from our scan is shown in Figure 3-5 on page 53.<br />
Using ScanPort, we can see that port 397 is in use on our host at address<br />
9.12.6.6. You may note that the Detail field tells us that this is registered as<br />
the MPTN port on our local machine. Multi-Protocol Transport Network<br />
(MPTN) is the network transport used by TCP62 and AnyNet to send LU 6.2<br />
packets over an IP network.<br />
If you wish to use the ScanPort utility, it can be downloaded from the following<br />
Web site:<br />
http://www.dataset.fr/eng/scanport.html
Figure 3-5 ScanPort utility<br />
3. Started the <strong>CICS</strong> region SCSCPJA1.<br />
4. Started the <strong>CICS</strong> TG connection to the <strong>CICS</strong> region using the command<br />
<strong>CICS</strong>CLI /S=SC62PJA1. (SC62PJA1 is the server name given in the Client<br />
configuration step in Figure 3-3 on page 46.)<br />
5. Checked the status of the connection to the <strong>CICS</strong> region using the command<br />
<strong>CICS</strong>CLI /L. <strong>The</strong> connection status is available, as shown in Example 3-5.<br />
Example 3-5 Checking connection status<br />
C:\><strong>CICS</strong>CLI /L<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL8041I <strong>The</strong> <strong>CICS</strong> Client is using the following servers:<br />
CCL8042I Server 'SC62PJA1' (using 'TCP62' to 'US<strong>IBM</strong>SC.SCSCPJA1') is available<br />
6. Issued the <strong>CICS</strong>TERM /S=SC62PJA1 command to install a client terminal on the<br />
<strong>CICS</strong> region.<br />
7. Ran the <strong>CICS</strong>-supplied transaction CEMT I CONN to display the status of our<br />
TCP62 connection (Figure 3-6 on page 54). You can see that our TCP62<br />
connection has been autoinstalled as 62LU, which are the last four characters<br />
of the LU name (CCLI62LU), and is marked Acq, meaning SNA sessions are<br />
bound. <strong>The</strong> other connection displayed is CBPS, the APPC connection<br />
autoinstall template.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 53
Figure 3-6 CEMT I CONN<br />
54 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Lastly we checked the <strong>CICS</strong> region CSMT log to view the messages from the<br />
<strong>CICS</strong> connection autoinstall, as shown in Example 3-6.<br />
Example 3-6 <strong>CICS</strong> log messages from the connection autoinstall<br />
DFHZC6935 I 05/28/2002 13:58:50 SCSCPJA1 Autoinstall for connection 62LU with netname CCLI62LU<br />
using model or template CBPS successful.<br />
DFHZC3461 I 05/28/2002 13:58:50 SCSCPJA1 -AAY CSNE Node CCLI62LU session started. ((1) Module<br />
name: DFHZOPX) NQNAME -AAY,CSNE,13:58:50,US<strong>IBM</strong>SC CCLI62LU<br />
DFHZC4900 I 05/28/2002 13:58:50 SCSCPJA1 -AAY CLS1 CNOS received from Node CCLI62LU System 62LU<br />
Modename APPCMODE, Max =8, Win=7, successful. ((1) Module name: DFHZGCN)<br />
DFHZC3461 I 05/28/2002 13:58:50 SCSCPJA1 -AAX CSNE Node CCLI62LU session started. ((2) Module<br />
name: DFHZOPX) NQNAME -AAX,CSNE,13:58:50,US<strong>IBM</strong>SC CCLI62LU<br />
DFHZC3461 I 05/28/2002 13:58:50 SCSCPJA1 -AA6 CSNE Node CCLI62LU session started. ((1) Module<br />
name: DFHZOPX) NQNAME -AA6,CSNE,13:58:50,US<strong>IBM</strong>SC CCLI62LU<br />
DFHZC5966 I 05/28/2002 16:10:46 SCSCPJA1 INSTALL started for TERMINAL ( \AAA) (Module name:<br />
DFHBSTZ).
3.5 Problem determination<br />
3.5.1 Tips and utilities<br />
In this section, we document information we learned while configuring this<br />
scenario, as well as further information on problem determination and tracing.<br />
In this section, you will find useful commands and utilities for debugging any<br />
problems with your configuration. You will also find some additional information<br />
about topics discussed in this chapter.<br />
Logs<br />
For problem determination at the client side, it is best to check the <strong>CICS</strong>CLI.LOG<br />
under the /bin directory for error messages. If this does not give enough<br />
information, you should start the <strong>CICS</strong> TG connection with trace as shown in<br />
3.5.2, “Tracing” on page 61.<br />
For problem determination with APPC connections into <strong>CICS</strong> TS, refer to the<br />
following logs:<br />
► z/OS system log (SDSF.LOG) for VTAM information messages<br />
► <strong>CICS</strong> console and CSMT logs for <strong>CICS</strong> messages<br />
Windows TCP/IP status<br />
To check the status of TCP/IP as used by AnyNet on the workstation, you can<br />
issue the netstat /a /n command to view socket usage as shown in<br />
Example 3-7.<br />
Example 3-7 Client side netstat information<br />
C:\>netstat /a /n<br />
Proto Local Address Foreign Address State<br />
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:397 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1073 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1161 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1186 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:1187 0.0.0.0:0 LISTENING<br />
TCP 0.0.0.0:9495 0.0.0.0:0 LISTENING<br />
TCP 9.1.38.39:139 0.0.0.0:0 LISTENING<br />
TCP 9.1.38.39:397 9.12.6.6:1263 ESTABLISHED<br />
TCP 9.1.38.39:1033 0.0.0.0:0 LISTENING<br />
TCP 9.1.38.39:1072 0.0.0.0:0 LISTENING<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 55
56 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
TCP 9.1.38.39:1072 9.1.38.11:139 ESTABLISHED<br />
TCP 9.1.38.39:1073 9.12.14.8:23 ESTABLISHED<br />
TCP 9.1.38.39:1161 9.12.6.6:23 ESTABLISHED<br />
TCP 9.1.38.39:1186 9.12.6.6:397 ESTABLISHED<br />
TCP 9.1.38.39:1187 9.12.6.6:397 ESTABLISHED<br />
UDP 0.0.0.0:135 *:*<br />
UDP 0.0.0.0:397 *:*<br />
UDP 0.0.0.0:445 *:*<br />
UDP 0.0.0.0:1036 *:*<br />
UDP 0.0.0.0:1185 *:*<br />
UDP 9.1.38.39:137 *:*<br />
UDP 9.1.38.39:138 *:*<br />
UDP 9.1.38.39:500 *:*<br />
This shows that the <strong>CICS</strong> TG TCP62 function is using the TCP and UDP ports<br />
397 on our workstation (9.1.38.39), and that three sessions are established using<br />
TCP connections with the z/OS system (9.12.6.6).<br />
UDP: Note that AnyNet uses UDP connections for LU 6.2 expedited flows, as<br />
well as for session unbinds and for the AnyNet inactivity timers. <strong>The</strong>refore if<br />
you use a firewall to block certain ports, you must open both the TCP and UDP<br />
ports. If you do not open the UDP ports, you will see sessions disconnected<br />
with inactivity, and failures during session unbinds.<br />
Display MVS TCP/IP status<br />
<strong>The</strong> D TCPIP command issued from SDSF displays the status of TCP/IP on the<br />
z/OS system as shown in Example 3-8.<br />
Example 3-8 Status of TCP/IP<br />
D TCPIP<br />
RESPONSE=SC66<br />
EZAOP50I TCPIP STATUS REPORT 014<br />
COUNT TCPIP NAME VERSION STATUS<br />
----- ---------- -------- ------------------------<br />
1 TCPIPOE CS V1R2 ACTIVE<br />
2 TCPIPMVS CS V1R2 ACTIVE<br />
*** END TCPIP STATUS REPORT ***<br />
EZAOP41I 'DISPLAY TCPIP' COMMAND COMPLETED SUCCESSFULLY<br />
In our example, we were using two TCP/IP stacks on our z/OS system,<br />
TCPIPMVS and TCPIPOE. We used the TCPIPMVS stack with the VTAM<br />
AnyNet feature.<br />
To display the TCP/IP sockets in use by AnyNet, you can use the MVS NETSTAT<br />
command as shown in Example 3-9 on page 57. This will give you the same
information that you got from the client side. <strong>The</strong> following screen shows the<br />
NETSTAT output with sessions bound from <strong>CICS</strong> to our TCP62 client on IP<br />
address 9.1.38.39. As you can see, AnyNet uses both TCP and UDP protocols.<br />
Example 3-9 MVS NETSTAT<br />
MVS TCP/IP NETSTAT CS V1R2 TCPIP NAME: TCPIPMVS 01:02:47<br />
User Id Conn Local Socket Foreign Socket State<br />
------- ---- ------------ -------------- -----<br />
VTAMBUDI 0000A26F 9.12.6.6..397 9.1.38.39..1186 Establsh<br />
VTAMBUDI 0000A271 9.12.6.6..397 9.1.38.39..1187 Establsh<br />
VTAMBUDI 00001E57 0.0.0.0..397 0.0.0.0..0 Listen<br />
VTAMBUDI 0000A270 9.12.6.6..1263 9.1.38.39..397 Establsh<br />
VTAMBUDI 00001E56 0.0.0.0..397 *..* UDP<br />
VTAMBUDI 00001E5D 9.12.6.6..2978 *..* UDP<br />
Display VTAM AnyNet status<br />
<strong>The</strong> VTAM command D NET,STATS,TYPE=VTAM shows whether VTAM AnyNet is<br />
installed and the number of TCP major nodes defined to VTAM as shown in<br />
Example 3-10.<br />
Example 3-10 AnyNet part of the VTAM statistics<br />
D NET,STATS,TYPE=VTAM<br />
IST097I DISPLAY ACCEPTED<br />
IST350I DISPLAY TYPE = STATS,TYPE=VTAM 225<br />
IST1349I COMPONENT ID IS 5695-11701-120<br />
IST1345I ID VALUE DESCRIPTION<br />
IST1227I 130 YES = ANYNET/MVS SNA OVER TCP/IP INSTALLED<br />
IST1227I 127 1 = TCP/IP MAJOR NODES<br />
IST1227I 128 10 = MAXIMUM TCB VALUE FOR TCP/IP MAJOR NODES<br />
IST1227I 129 3 = TCP/IP LU-LU SESSIONS<br />
<strong>The</strong> VTAM command D NET,ID=APTCP01 displays the status of the TCP major<br />
node as shown in Example 3-11. If you do not know the VTAM major node name,<br />
you can use the command D NET,MAJNODES to list all the defined major nodes.<br />
Example 3-11 TCP major node<br />
D NET,ID=APTCP01<br />
IST097I DISPLAY ACCEPTED<br />
IST075I NAME = APTCP01, TYPE = TCP/IP MAJOR NODE 236<br />
IST486I STATUS= ACTIV, DESIRED STATE= ACTIV<br />
IST1342I DNSUFX = ITSO.<strong>IBM</strong>.COM<br />
IST1692I TCB = 10 TCP PORT = 397<br />
IST1400I DGTIMER = 40 EXTIMER = 5<br />
IST1406I CONTIMER = 25 IATIMER = 60<br />
IST654I I/O TRACE = OFF, BUFFER TRACE = OFF<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 57
IST314I END<br />
58 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> VTAM command D NET,ID=TCP01PU,E displays the status of a TCP physical<br />
unit (PU) in VTAM, as shown in Example 3-12. TCP01PU is the TCP PU defined<br />
in the TCP major node name. <strong>The</strong> important information from this command is<br />
that AnyNet TCP PU is active. If this is not active, TCP62 clients will not work.<br />
Also note that dynamic LUs are supported, so we can use dynamic LU names in<br />
VTAM.<br />
Example 3-12 Status of TCP PU<br />
D NET,ID=TCP01PU,E<br />
IST097I DISPLAY ACCEPTED<br />
IST075I NAME = TCP01PU, TYPE = PU_T2.1 241<br />
IST486I STATUS= ACTIV--L--, DESIRED STATE= ACTIV<br />
IST1043I CP NAME = ***NA***, CP NETID = US<strong>IBM</strong>SC, DYNAMIC LU = YES<br />
IST1589I XNETALS = NO<br />
IST081I LINE NAME = TCP01LNE, LINE GROUP = TCP01GRP, MAJNOD = APTCP01<br />
IST654I I/O TRACE = OFF, BUFFER TRACE = OFF<br />
IST1500I STATE TRACE = OFF<br />
IST355I LOGICAL UNITS:<br />
IST080I CCLI62LU ACT/S----Y<br />
IST314I END<br />
Display VTAM LU status<br />
<strong>The</strong> VTAM command D NET,ID=SCSCPJA1,E displays the status of the VTAM LU<br />
for the <strong>CICS</strong> region and any sessions bound as shown in Example 3-13.<br />
Example 3-13 VTAM information from our <strong>CICS</strong> region SCSCPJA1<br />
D NET,ID=SCSCPJA1,E<br />
IST097I DISPLAY ACCEPTED<br />
IST075I NAME = US<strong>IBM</strong>SC.SCSCPJA1, TYPE = APPL 358<br />
IST486I STATUS= ACT/S, DESIRED STATE= ACTIV<br />
IST1447I REGISTRATION TYPE = CDSERVR<br />
IST977I MDLTAB=***NA*** ASLTAB=***NA***<br />
IST861I MODETAB=MTAPPC USSTAB=***NA*** LOGTAB=***NA***<br />
IST934I DLOGMOD=***NA*** USS LANGTAB=***NA***<br />
IST1632I VPACING = 0<br />
IST597I CAPABILITY-PLU ENABLED ,SLU ENABLED ,SESSION LIMIT NONE<br />
IST231I APPL MAJOR NODE = APCPJA1<br />
IST654I I/O TRACE = OFF, BUFFER TRACE = OFF<br />
IST1500I STATE TRACE = OFF<br />
IST271I JOBNAME = SCSCPJA1, STEPNAME = SCSCPJA1, DSPNAME = IST99C78<br />
IST1050I MAXIMUM COMPRESSION LEVEL - INPUT = 0, OUTPUT = 0<br />
IST1633I ASRCVLM = 1000000<br />
IST1634I DATA SPACE USAGE: CURRENT = 0 MAXIMUM = 512
IST171I ACTIVE SESSIONS = 0000000003, SESSION REQUESTS = 0000000000<br />
IST206I SESSIONS:<br />
IST634I NAME STATUS SID SEND RECV VR TP NETID<br />
IST635I CCLI62LU ACTIV/SV-S ECF7040A341DB863 0001 0000 US<strong>IBM</strong>SC<br />
IST635I CCLI62LU ACTIV-P 101512001C04D207 0001 0001 US<strong>IBM</strong>SC<br />
IST635I CCLI62LU ACTIV/SV-P 101511001C04D207 0001 0001 US<strong>IBM</strong>SC<br />
IST314I END<br />
This screen provides a wealth of information, but the most important information<br />
is that the LU status is active with sessions (ACT/S). It is using the mode table<br />
MTAPPC (which contains our log mode APPCMODE), and it has three active<br />
sessions. To obtain more information on the active sessions listed, you can use<br />
the VTAM command D NET,SESSIONS,LU1=CCLI62LU,LIST=ALL as shown in<br />
Example 3-14:<br />
Example 3-14 <strong>CICS</strong> TG APPC sessions<br />
D NET,SESSIONS,LU1=CCLI62LU,LIST=ALL<br />
IST097I DISPLAY ACCEPTED<br />
IST350I DISPLAY TYPE = SESSIONS 361<br />
IST873I PLU SLU SID STATUS<br />
IST874I US<strong>IBM</strong>SC.SCSCPJA1 US<strong>IBM</strong>SC.CCLI62LU ECF7040A341DB863 ACTIV/SV<br />
IST874I US<strong>IBM</strong>SC.CCLI62LU US<strong>IBM</strong>SC.SCSCPJA1 101512001C04D207 ACTIV<br />
IST874I US<strong>IBM</strong>SC.CCLI62LU US<strong>IBM</strong>SC.SCSCPJA1 101511001C04D207 ACTIV/SV<br />
IST924I -------------------------------------------------------------<br />
IST878I NUMBER OF PENDING SESSIONS = 0<br />
IST924I -------------------------------------------------------------<br />
IST878I NUMBER OF ACTIVE SESSIONS = 3<br />
IST924I -------------------------------------------------------------<br />
IST878I NUMBER OF QUEUED SESSIONS = 0<br />
IST924I -------------------------------------------------------------<br />
IST878I NUMBER OF TOTAL SESSIONS = 3<br />
IST314I END<br />
You may also use the following command, as shown in Example 3-15, where SID<br />
is a session ID:<br />
D NET,SESSIONS,SID=101512001C04D207<br />
If you display all the three sessions, you will find out that the first one is for<br />
SNASVCMG (the LU 6.2 service manager mode) and the last two are the real<br />
<strong>CICS</strong> TG sessions for the APPCMODE.<br />
Example 3-15 <strong>CICS</strong> TG session information<br />
D NET,SESSIONS,SID=101512001C04D207<br />
IST097I DISPLAY ACCEPTED<br />
IST350I DISPLAY TYPE = SESSIONS 367<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 59
60 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
IST879I PLU/OLU REAL = US<strong>IBM</strong>SC.CCLI62LU ALIAS = ***NA***<br />
IST879I SLU/DLU REAL = US<strong>IBM</strong>SC.SCSCPJA1 ALIAS = ***NA***<br />
IST880I SETUP STATUS = ACTIV<br />
IST875I ALSNAME TOWARDS PLU = TCP01PU<br />
IST933I LOGMODE=APPCMODE, COS=*BLANK*<br />
IST1165I LOCAL TCP/IP ADDRESS = 9.12.6.6..397<br />
IST1165I REMOTE TCP/IP ADDRESS = 9.1.38.39..1187<br />
IST1635I PLU HSCB TYPE: BSB LOCATED AT ADDRESS X'0E701238'<br />
IST1635I SLU HSCB TYPE: FMCB LOCATED AT ADDRESS X'0874A218'<br />
IST1636I PACING STAGE(S) AND VALUES:<br />
IST1644I PLU--STAGE 1-----|-----STAGE 2--SLU<br />
IST1638I STAGE1: PRIMARY TO SECONDARY DIRECTION - FIXED<br />
IST1640I SECONDARY RECEIVE = *NA*<br />
IST1641I STAGE1: SECONDARY TO PRIMARY DIRECTION - FIXED<br />
IST1642I SECONDARY SEND: CURRENT = 0 NEXT = 0<br />
IST1638I STAGE2: PRIMARY TO SECONDARY DIRECTION - ADAPTIVE<br />
IST1639I PRIMARY SEND: CURRENT = 0 NEXT = 32767<br />
IST1640I SECONDARY RECEIVE = 32767<br />
IST1641I STAGE2: SECONDARY TO PRIMARY DIRECTION - ADAPTIVE<br />
IST1642I SECONDARY SEND: CURRENT = 0 NEXT = 7<br />
IST1643I PRIMARY RECEIVE = 0<br />
IST1714I NO PATH INFORMATION EXISTS<br />
IST314I END<br />
SNA sense codes<br />
We found the Personal Communications GetSense utility helpful for quickly<br />
looking up SNA sense code. To launch GetSense from Windows, click Start -><br />
Programs -> <strong>IBM</strong> Personal Communications -> Administrative and PD Aids<br />
and click Display SNA Sense Data. <strong>The</strong> GetSense window will appear, as<br />
shown in Figure 3-7.<br />
Figure 3-7 GetSense window
3.5.2 Tracing<br />
SNA sense data can be entered in the Sense Data field and a detailed sense<br />
code description displayed by clicking Lookup.<br />
In this section, we provide information on how to use the trace facilities provided<br />
with the Client daemon to debug a simple TCP62 communications problem.<br />
Client daemon<br />
<strong>The</strong> first place to look for error messages when using the <strong>CICS</strong> TG on the<br />
Windows system is the log file. This is specified in the Client configuration<br />
parameters in the <strong>CICS</strong> TG Configuration Tool. We used the default name<br />
<strong>CICS</strong>CLI.LOG, which can be found in the <strong>CICS</strong> TG \bin subdirectory.<br />
<strong>The</strong> first step to useful tracing with the Client daemon is identifying which<br />
components should be traced. A full list is shown in Example 3-16 and can be<br />
viewed using the command <strong>CICS</strong>CLI /M. If in doubt, you should trace with the<br />
default selected components, since these have been selected to be sufficient to<br />
diagnose most problems. <strong>The</strong> default components have an X in front of them in<br />
the following example. To turn on all the parameters, you can use the /M=ALL<br />
option.<br />
Example 3-16 <strong>CICS</strong> TG client trace options<br />
C:\>cicscli /m<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL1120I Trace has not been started<br />
CCL1100I <strong>The</strong> following list shows what components can be traced<br />
CCL1101I An 'X' indicates which components are enabled<br />
CCL1102I <strong>CICS</strong>CLI Command Process [CLI]<br />
CCL1103I Interprocess Communication [TRN]<br />
CCL1104I X Protocol Drivers (Level 1) [DRV.1]<br />
CCL1105I Protocol Drivers (Level 2) [DRV.2]<br />
CCL1106I X API (Level 1) [API.1]<br />
CCL1107I API (Level 2) [API.2]<br />
CCL1108I X Client Daemon [CCL]<br />
CCL1109I Terminal Emulators [EMU]<br />
CCL1111I C++ Class Libraries [CPP]<br />
CCL1112I Workload Manager [LMG]<br />
CCL1113I <strong>CICS</strong> Client Service for NT [SER]<br />
Trace is written to a binary file called, by default, <strong>CICS</strong>CLI.BIN. To read the trace,<br />
you must format the binary file into a text file by using the <strong>CICS</strong>FTRC /D<br />
command. This will produce a viewable file called <strong>CICS</strong>CLI.TRC. Both<br />
<strong>CICS</strong>CLI.BIN and <strong>CICS</strong>CLI.TRC are found, by default, in the \BIN subdirectory.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 61
62 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> <strong>CICS</strong> TG Client daemon trace is started with the <strong>CICS</strong>CLI /D command. If<br />
you need to trace the client from startup, you can specify all the parameters<br />
needed together on the command line, such as:<br />
<strong>CICS</strong>CLI /S=SCSCPJA1 /D=9999 /M=ALL<br />
For more information on Client daemon tracing, wrapping trace, and formatting<br />
options, refer to <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Windows Client Administration,<br />
SC34-5940.<br />
Example trace<br />
To provide an example tracing scenario we disabled connection autoinstall on our<br />
<strong>CICS</strong> region and tried to connect using TCP62 from our Windows workstation. To<br />
disable autoinstall on <strong>CICS</strong>, we used the <strong>CICS</strong> command:<br />
CEMT SET AUTOI PROGR(DFHZATDX)<br />
To start the Client daemon and format the trace, we did the following from a<br />
Windows command prompt:<br />
1. We started the <strong>CICS</strong> TG connection to the <strong>CICS</strong> region using the command:<br />
<strong>CICS</strong>CLI /S=SC62PJA1 /D=9999 /M=DRV.1,DRV.2<br />
2. We stopped the <strong>CICS</strong> TG connection to the <strong>CICS</strong> region using the command:<br />
<strong>CICS</strong>CLI /X<br />
3. We formatted the trace with detailed formatting using the command:<br />
<strong>CICS</strong>FTRC /D<br />
<strong>The</strong> trace was output to the file <strong>CICS</strong>CLI.TRC in the <strong>CICS</strong> TG bin directory. As<br />
shown in Example 3-17, the first network flow is an MPTN_Connect, from the<br />
Client daemon with the node address US<strong>IBM</strong>SC.CCLI62LU. <strong>The</strong> destination<br />
address is our <strong>CICS</strong> server, US<strong>IBM</strong>SC.SCSCPJA1.<br />
Example 3-17 trace of connect<br />
12:23:20.040 [00000780,000007f0] [5874] DRV:CCL5899 TCP62: connected<br />
006c-SC62PJA1<br />
12:23:20.050 [00000780,000007f0] [5879] DRV:CCL5894 TCP62: send ctl<br />
006c-SC62PJA1 Length=254<br />
...<br />
________________________________________________MPTN Flow - Start_<br />
00000004 Command Type = (0x80) MPTN_Connect<br />
...<br />
Destination User Address:<br />
00000009 MPTN Qualifier = (0x0b) SNA network-qualified LU name<br />
0000000a Address Mode = (0x01) individual address<br />
0000000c Node Address = "US<strong>IBM</strong>SC.SCSCPJA1"<br />
0000001c Local Address = (0x01) null
Source User Address:<br />
0000001d MPTN Qualifier = (0x0b) SNA network-qualified LU name<br />
0000001e Address Mode = (0x01) individual address<br />
00000020 Node Address = "US<strong>IBM</strong>SC.CCLI62LU"<br />
00000030 Local Address = (0x01) null<br />
<strong>The</strong> response from our <strong>CICS</strong> server is shown in Example 3-18. <strong>The</strong> MPTN flow<br />
details show that the request was recognized by the destination but has been<br />
rejected. <strong>The</strong> SNA flow details show that the destination has responded with an<br />
UNBIND request for the Client daemon, identified by the fully qualified CP name<br />
US<strong>IBM</strong>SC.CCLI62CP. <strong>The</strong> SNA sense data is 0x08100000.<br />
Example 3-18 Trace of <strong>CICS</strong> response<br />
12:23:20.170 [00000780,000007f0] [5863] DRV:CCL5898 TCP62: Sockets thread<br />
posted, Rc= 1<br />
12:23:20.170 [00000780,000007f0] [5887] DRV:CCL5894 TCP62: recv ctl<br />
006c-SC62PJA1 Length=208<br />
...<br />
________________________________________________MPTN Flow - Start_<br />
00000004 Command Type = (0x80) MPTN_Connect<br />
00000005 Processing Specification:<br />
00000005 (0b111) -ve response, recognised by destination but rejected<br />
00000005 (0b0) <strong>Gateway</strong> recognised command<br />
00000005 (0b0) Destination recognised command<br />
...<br />
- - - - - - - - - - - - - - - - - - - - - - - - SNA Flow - Start-<br />
...<br />
00000056 Request Code = (0x32) UNBIND<br />
...<br />
00000067 Network-Qualified CP Name = "US<strong>IBM</strong>SC.CCLI62CP"<br />
Control Vector:<br />
00000077 Key = (0x35) Extended Sense Data<br />
00000079 Sense Data = 0x08010000<br />
...<br />
12:23:20.170 [00000780,000007f0] [5894] DRV:CCL5815 TCP62: Session<br />
006c-SC62PJA1 MPTNCONN rejected, Rc=0007,0000, sense data=08010000<br />
<strong>The</strong> MPTNCONN rejected message is output further down the trace, giving the<br />
SNA sense data. <strong>The</strong> GetSense utility can be used to determine what this data<br />
means, as shown in Figure 3-8 on page 64. <strong>The</strong> code indicates that the <strong>CICS</strong> LU<br />
is not available.<br />
Chapter 3. TCP62 connections to <strong>CICS</strong> 63
64 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 3-8 GetSense showing the SNA sense data<br />
Finally, we examined the <strong>CICS</strong> log to find the message DFHZC6921W. As shown<br />
in Example 3-19, autoinstall was started for the Client daemon connection, but<br />
because we disabled connection autoinstall it was disallowed and therefore the<br />
connection was rejected.<br />
Example 3-19 <strong>CICS</strong> log showing autoinstall rejected<br />
DFHZC6907 I 07/09/2002 15:24:07 SCSCPJA1 Autoinstall starting for netname<br />
CCLI62LU. Network qualified name is US<strong>IBM</strong>SC.CCLI62LU.<br />
DFHZC6921 W 07/09/2002 15:24:07 SCSCPJA1 Autoinstall for NETNAME CCLI62LU has<br />
been disallowed by the autoinstall control program. Code X'FA07'<br />
DFHZC2411 E 07/09/2002 15:24:07 SCSCPJA1 DUMY CSNE CCLI62LU attempted invalid<br />
logon. ((7) Module name: DFHZATA) NQNAME DUMY,CSNE,15:24:07,US<strong>IBM</strong>SC<br />
CCLI62LU<br />
Using the <strong>CICS</strong> messages and codes transaction, CMAC we used the code<br />
FA07 for the message DFHZC6921 to determine why connection autoinstall had<br />
failed. <strong>The</strong> output indicates that APPC connection autoinstall is not supported or<br />
failed.<br />
Example 3-20 CMAC output for ZC6921<br />
X'FA07' If APPC autoinstall is not supported, use the<br />
netname to determine which device is<br />
attempting autoinstall.<br />
If APPC autoinstall is supported, examine the<br />
autoinstall control program to determine why it<br />
has not set the return code to allow the install.
Chapter 4. EXCI connections to <strong>CICS</strong><br />
4<br />
In this chapter, we discuss the implementation and problem diagnosis of the<br />
External <strong>CICS</strong> Interface (EXCI) protocol as used by the <strong>CICS</strong> TG in the z/OS<br />
environment.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 65
4.1 Introduction to EXCI<br />
66 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> EXCI provides a means for non-<strong>CICS</strong> address spaces on z/OS to link to<br />
programs in a <strong>CICS</strong> region. For example, the EXCI allows batch jobs to connect<br />
to <strong>CICS</strong> and also allows the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS to make calls to<br />
<strong>CICS</strong> (Figure 4-1).<br />
<strong>CICS</strong><br />
<strong>Transaction</strong><br />
<strong>Gateway</strong><br />
EXCI<br />
MRO/IRC<br />
EXCI pipes<br />
Figure 4-1 <strong>CICS</strong> client-server connections<br />
MRO<br />
connection<br />
z/OS<br />
<strong>CICS</strong> TS<br />
region<br />
On z/OS the use of the EXCI limits the <strong>CICS</strong> TG to the subset of the ECI that the<br />
EXCI supports, and prevents use of the EPI to invoke 3270-based transactions,<br />
or the ESI to invoke password expiration management (PEM) functions in <strong>CICS</strong>.<br />
For further details on the different interfaces (ECI, EPI, ESI) provided by the<br />
<strong>CICS</strong> TG, refer to 1.2, “<strong>CICS</strong> TG: Interfaces” on page 11.<br />
For all connected EXCI client systems, the <strong>CICS</strong> server region requires both a<br />
CONNECTION and SESSIONS definition. <strong>The</strong> CONNECTION definition<br />
identifies the remote system, and one or more SESSIONS definitions are<br />
associated with this CONNECTION to define the properties of the sessions.<br />
In the following sections, we provide further information on setting up EXCI on<br />
z/OS. For more details, refer to the <strong>CICS</strong> External Interfaces Guide, SC33-1944.<br />
<strong>The</strong> EXCI protocol is inextricably tied to the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS<br />
and must be set up in tandem with the <strong>CICS</strong> TG for z/OS. For details on how we<br />
configured the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS, refer to Chapter 7, “TCP<br />
connections to the <strong>Gateway</strong> daemon on z/OS” on page 133.<br />
For details on securing connections using the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, refer to<br />
Chapter 6, “<strong>CICS</strong> TG security scenarios” on page 99.
4.1.1 Software checklist<br />
We used the following levels of software:<br />
► z/OS V1.2<br />
► <strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
4.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used to configure this scenario are summarized in Table 4-1.<br />
Before you configure the products, we recommend that you decide on definitions<br />
for each parameter listed. <strong>The</strong> Example column shows the values we used in our<br />
configuration.<br />
Table 4-1 Definitions checklist for EXCI<br />
<strong>CICS</strong> region <strong>CICS</strong> TG Example<br />
NETNAME DFHJVPIPE SCSCTG5<br />
CONNECTION name CTG5<br />
RECEIVEPFX C5<br />
In addition, we also had to deploy our <strong>CICS</strong> COBOL application EC01, and to<br />
configure a DFHCNV data conversion template in <strong>CICS</strong> for use by this program.<br />
Refer to Appendix A, “DFHCNV and <strong>CICS</strong> data conversion” on page 329 for<br />
more details.<br />
4.2 EXCI connections<br />
When creating EXCI connections, the following definitions are required:<br />
► SIT parameters, ISC=YES, IRCSTRT=YES<br />
► CONNECTION definition<br />
► SESSIONS definition<br />
In addition you may need to do the following:<br />
► Add surrogate security profiles<br />
► Modify the EXCI options table DFHXCOPT<br />
► Modify the EXCI user-replaceable module DFHXCURM<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 67
4.2.1 EXCI CONNECTION definitions<br />
68 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 4-2 shows the EXCI connection definition we used for the connection to<br />
our <strong>CICS</strong> TG region, SCSCTG5.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0530<br />
CEDA ALter Connection( CTG5 )<br />
Connection : CTG5<br />
Group : CTG5<br />
DEscription ==><br />
CONNECTION IDENTIFIERS<br />
Netname ==> SCSCTG5<br />
INDsys ==><br />
CONNECTION PROPERTIES<br />
ACcessmethod ==> IRc Vtam | IRc | INdirect | Xm<br />
PRotocol ==> Exci Appc | Lu61 | Exci<br />
Conntype ==> Specific Generic | Specific<br />
SInglesess ==> No No | Yes<br />
SECURITY<br />
SEcurityname ==><br />
ATtachsec ==> Local Local | Identify | Verify<br />
| Persistent | Mixidpe<br />
Figure 4-2 EXCI connection definition<br />
SYSID=PAA6 APPLID=SCSCPAA6<br />
<strong>The</strong> important parameters in an EXCI connection definition are:<br />
► CONNECTION<br />
This is the name of the connection itself, as it is known to <strong>CICS</strong>. Any<br />
four-character name can be used. It must match the CONNECTION<br />
parameter specified in the SESSIONS definition. See Figure 4-3 on page 70.<br />
► NETNAME<br />
If this is specified, then the connection is configured to use a specific pipe. If it<br />
is left blank, then the EXCI connection will use a generic pipe. If using specific<br />
pipes, then this must correspond to the name of the pipe as also specified in<br />
the EXCI client program. This is specified on the user_name parameter of an<br />
Initialize_User EXCI call. When using the <strong>CICS</strong> TG for z/OS, this value is<br />
passed to the EXCI using the DFHJVPIPE environment variable, the setting<br />
of which is described in Figure 7-5 on page 149.<br />
If the NETNAME parameter is not specified, then a generic pipe will be used,<br />
which is essentially an unnamed pipe. Generally it is best to use a specific<br />
pipe, since this aids in management of multiple connections and in problem<br />
determination.
Note that when a single <strong>CICS</strong> TG for z/OS region is configured to connect to<br />
more than one <strong>CICS</strong> region, you must use the same NETNAME for all of the<br />
EXCI connections.<br />
Note: It is quite possible to use the same DFHJVPIPE for multiple address<br />
spaces (that is, multiple <strong>Gateway</strong> daemons). However, in this way if all the<br />
address spaces connect to the same region, they will share the same<br />
connection, and this may adversely affect your ability to monitor traffic<br />
across the connection, and will also require a higher RECEIVECOUNT to<br />
be defined in the SESSIONS definition.<br />
► ACCESSMETHOD<br />
For EXCI connections, this must be specified as inter-region communication<br />
(IRC). EXCI is implemented through the IRC program (DFHIRP), using the<br />
supervisor call (SVC) mode of DFHIRP (as opposed to cross memory).<br />
DFHIRP can use the cross-system coupling facility (XCF) MRO links, but<br />
cannot use MVS cross-memory services (XM).<br />
► PROTOCOL<br />
For EXCI, this must be specified as EXCI.<br />
► CONNTYPE<br />
This is the type of EXCI connection used for non-<strong>CICS</strong> jobs to communicate<br />
with a <strong>CICS</strong> region on z/OS. It is a type of MRO request and must be<br />
specified as either specific or generic.<br />
– SPECIFIC: An MRO link with one or more sessions dedicated to a single<br />
user in a client program. For a specific connection, the NETNAME<br />
attribute is mandatory.<br />
– GENERIC: An MRO link with a number of sessions to be shared by<br />
multiple EXCI users. Only one generic EXCI connection can be installed in<br />
each region. For a generic connection, the NETNAME attribute must be<br />
left blank.<br />
► ATTACHSEC<br />
Controls the security checks made using the flowed user ID.<br />
– IDENTIFY: Specifies to <strong>CICS</strong> that a user ID will be flowed on every<br />
request, but no password is expected as <strong>CICS</strong> will trust the user ID as<br />
having been already authenticated. When using the <strong>CICS</strong> TG for z/OS the<br />
user ID will be either the user named in the ECIRequest object or, if null,<br />
the user ID of the thread the ECI request runs under.<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 69
70 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
When using the <strong>CICS</strong> TG for z/OS (using either the <strong>Gateway</strong> daemon or<br />
<strong>WebSphere</strong> Application Server), for security reasons this user ID and<br />
password should be verified with RACF before the EXCI request is made.<br />
– LOCAL: Specifies that a user ID will not be flowed by the remote system,<br />
and instead only the link user ID (if specified) will be used. If no link user<br />
ID is supplied, then all requests will be run under the <strong>CICS</strong> default user ID<br />
as specified in the DFLTUSER SIT parameter.<br />
For more details on <strong>CICS</strong> security, refer to Chapter 6, “<strong>CICS</strong> TG security<br />
scenarios” on page 99.<br />
4.2.2 EXCI SESSIONS definitions<br />
For each EXCI connection definition, it is necessary to use a SESSIONS<br />
definition to define the parameters of the SESSIONS being used. Figure 4-3<br />
shows the SESSIONS definition used for our connection CTG5 to our <strong>CICS</strong> TG<br />
region SCSCTG5.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0530<br />
CEDA ALter Sessions( EXCGSESS )<br />
Sessions : EXCGSESS<br />
Group : CTG5<br />
DEscription ==> <strong>CICS</strong> TG SESSIONS DEFINITION<br />
SESSION IDENTIFIERS<br />
Connection ==> CTG5<br />
SESSName ==><br />
NETnameq ==><br />
MOdename ==><br />
SESSION PROPERTIES<br />
Protocol ==> Exci Appc | Lu61 | Exci<br />
MAximum ==> 000 , 000 0-999<br />
RECEIVEPfx ==> C5<br />
RECEIVECount ==> 100 1-999<br />
SENDPfx ==><br />
SENDCount ==> 1-999<br />
SENDSize ==> 04096 1-30720<br />
RECEIVESize ==> 04096 1-30720<br />
PRESET SECURITY<br />
USERId ==><br />
SYSID=PAA6 APPLID=SCSCPAA6<br />
Figure 4-3 EXCI sessions definition
<strong>The</strong> key parameters in the SESSIONS definition are:<br />
► CONNECTION<br />
Associates this SESSIONS definition with the CONNECTION name CTG5.<br />
► PROTOCOL<br />
Indicates the type of sessions to be used for an intercommunication<br />
connection. Sessions used by EXCI must specify EXCI for the protocol.<br />
► RECEIVEPFX<br />
Specifies a one- or two-character prefix that <strong>CICS</strong> is to use as the first one or<br />
two characters of the receive session names. <strong>CICS</strong> creates the remainder of<br />
the four-character names from the alphanumeric characters A through Z, and<br />
1 through 9. <strong>The</strong>se two- or three-character identifiers begin with the letters<br />
AAA, and continue in ascending sequence until the number of session entries<br />
reaches the limit set by the RECEIVECOUNT value (in our example C5AA,<br />
C5AB, C5AC, and so on). <strong>The</strong> default receive prefix is (
4.2.3 EXCI options table: DFHXCOPT<br />
72 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> EXCI options table, DFHXCOPT, enables you to specify a number of<br />
parameters that the EXCI requires. <strong>The</strong>re is no suffixed version of this program,<br />
so the first DFHXCOPT table located in the STEPLIB concatenation or linklist will<br />
be loaded. Example 4-1 shows the default parameters for the DFHXCOPT<br />
macro. Assembly of DFHXCOPT is accomplished by the use of the DFHAUPLE<br />
proc in <strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHPROC.<br />
Example 4-1 EXCI options table, DFHXCOPT<br />
DFHXCO TYPE=CSECT,<br />
TIMEOUT=0, No timeout<br />
TRACE=OFF, Trace entries<br />
TRACESZE=1024, Trace table<br />
DURETRY=30, Retry SDUMPS for 30 seconds<br />
TRAP=OFF, DFHXCTRA - OFF<br />
GTF=ON, GTF - ON<br />
MSGCASE=MIXED, Mixed case messages<br />
<strong>CICS</strong>SVC=0, EXCI will obtain <strong>CICS</strong> SVC number<br />
CONFDATA=SHOW, Show user commarea data in trace<br />
SURROGCHK=YES Perform surrogate-user check<br />
END DFHXCOPT<br />
<strong>The</strong> meanings of the significant parameters are:<br />
► TRACE<br />
Set to OFF. This specifies that EXCI tracing is not required, but exception<br />
trace entries are always written to the internal trace table.<br />
► <strong>CICS</strong>SVC<br />
Specifies the <strong>CICS</strong> type 3 SVC number to be used for MRO communication.<br />
EXCI must use the same SVC number that is in use by the <strong>CICS</strong> MRO<br />
regions that reside in the MVS image where the client program is running.<br />
<strong>The</strong> default of zero indicates that EXCI will obtain the <strong>CICS</strong> SVC number from<br />
MVS by means of an MVS VERIFY command. Using this default is highly<br />
recommended wherever possible. If you allow this parameter to default, and<br />
EXCI requests the SVC from MVS, then the request will fail if no <strong>CICS</strong> region<br />
has logged on to DFHIRP.<br />
► CONFDATA<br />
SHOW will allow user data to be traced and not suppressed. If you want trace<br />
entries that are normally written to the EXCI trace table to also be written to<br />
the generalized trace facility (GTF), then specify GTF=ON.
► SURROGCHK<br />
Defaults to YES, meaning that a surrogate security check will be performed in<br />
the EXCI client address space if the flowed user ID is different from the user<br />
ID of the client address space. This occurs regardless of the <strong>CICS</strong> security<br />
settings. This means that if you flow a user ID in an EXCI request (including<br />
flowing a user ID with an External Call Interface [ECI] request using the <strong>CICS</strong><br />
TG for z/OS), you will need to either add a RACF surrogate profile, or disable<br />
surrogate security checks by setting this parameter to NO. For details on how<br />
to add surrogate profiles, refer to “SURROGAT security profiles” on page 109.<br />
Refer to the <strong>CICS</strong> External Interfaces Guide, SC33-1944, for a detailed<br />
description of the DFHXCOPT parameters.<br />
4.2.4 EXCI user-replaceable module: DFHXCURM<br />
<strong>The</strong> user-replaceable module DFHXCURM is invoked on every EXCI<br />
Allocate_Pipe request, and also after detection of any EXCI retryable errors. This<br />
will occur under one of three circumstances:<br />
► <strong>The</strong> target <strong>CICS</strong> region is not available.<br />
► <strong>The</strong>re are no pipes available on the target <strong>CICS</strong> region.<br />
► IRC has not been active since the last initial program load (IPL).<br />
DFHXCURM can be used to remove the affinity of an EXCI request to a given<br />
<strong>CICS</strong> region by dynamically modifying the APPLID in the EXCI request. It can<br />
also be used to provide limited workload balancing of EXCI requests across<br />
multiple <strong>CICS</strong> regions from the <strong>CICS</strong> TG for z/OS. For further details on this<br />
subject, refer to Workload Management for Web Access to <strong>CICS</strong>, SG24-6118.<br />
4.2.5 <strong>Transaction</strong>al EXCI<br />
<strong>Transaction</strong>al EXCI works together with MVS resource recovery services (RRS),<br />
and allows multiple EXCI calls to become part of one logical unit of work. This<br />
now means that the <strong>CICS</strong> TG for z/OS can be used by other transactional<br />
systems (such as <strong>WebSphere</strong> V4.0 for z/OS) to make transaction requests to<br />
<strong>CICS</strong>, which can be coordinated using a two-phase commit mechanism between<br />
the two systems.<br />
Restriction: EXCI requests can only be transactional if the address space<br />
using the EXCI and the <strong>CICS</strong> region execute in the same z/OS image. This is<br />
a restriction imposed by the RRS support in <strong>CICS</strong>.<br />
To implement transactional EXCI, you must specify the following parameters:<br />
► RRMS=YES in <strong>CICS</strong> SIT parameter<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 73
74 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► CTG_RRMNAME as a <strong>CICS</strong> TG environment variable<br />
This is the name that the <strong>CICS</strong> TG registers with RRS for transactional EXCI<br />
requests to <strong>CICS</strong>. You will only need to modify this if using transactional EXCI<br />
requests. For further details on how we implemented transactional EXCI with<br />
our <strong>CICS</strong> TG for z/OS, refer to Chapter 7, “TCP connections to the <strong>Gateway</strong><br />
daemon on z/OS” on page 133.<br />
4.3 EXCI definitions for the <strong>CICS</strong> TG<br />
<strong>The</strong> following environment variables are specific to the <strong>CICS</strong> TG for z/OS. We<br />
specified these parameters in the PDS member named on our STDENV card in<br />
the <strong>CICS</strong> TG started task, but they can also be set in the ctgenvvar HFS file,<br />
among other places. For further details on how the settings of these variables are<br />
controlled, refer to Figure 7-5 on page 149. For step-by-step details on how we<br />
configured our <strong>CICS</strong> TG for z/OS, refer to Chapter 7, “TCP connections to the<br />
<strong>Gateway</strong> daemon on z/OS” on page 133.<br />
<strong>The</strong> parameters we used in our <strong>CICS</strong> TG for z/OS are as follows:<br />
► DFHJVPIPE<br />
This parameter names the EXCI pipe in use by the <strong>CICS</strong> TG (when using a<br />
specific EXCI connection). If not specified, the <strong>CICS</strong> TG will use a generic<br />
pipe. We set this parameter to the name of our <strong>CICS</strong> TG region (SCSCTG5),<br />
to help with management and problem diagnosis.<br />
Note: <strong>The</strong> DFHJVPIPE value must match the NETNAME parameter in the<br />
<strong>CICS</strong> CONNECTION definition.<br />
► EXCI_LOADLIB<br />
This is the name of the library containing the EXCI load modules (without its<br />
high-level qualifier). This will usually be SDFHEXCI, and so does not usually<br />
need modifying.<br />
► EXCI_OPTIONS<br />
This is a user library that contains the EXCI options to be used if you have a<br />
tailored version of the EXCI options table (DFHXCOPT). For more details,<br />
refer to “SURROGAT security checking and DFHXCOPT” on page 125.
4.4 Problem determination<br />
4.4.1 Tips and utilities<br />
In this section, we discuss the different tools available for performing problem<br />
resolution for <strong>CICS</strong> EXCI connections.<br />
In configuring our EXCI connections in this project, we used the following utilities<br />
to aid us in problem determination.<br />
EXCI sample batch program<br />
When configuring our EXCI connections, we decided it was easiest to test our<br />
connections using the <strong>CICS</strong> EXCI sample batch program DFH0CXCC. This way<br />
we could be sure our EXCI connections were working, before we implemented<br />
our <strong>CICS</strong> TG for z/OS.<br />
DFH0CXCC is a simple batch program, written in COBOL that uses the EXCI to<br />
call the <strong>CICS</strong> assembler program, DFH$AXCS. Further information on<br />
implementing this application can be found in the “Sample Applications<br />
Appendix” in the manual <strong>CICS</strong> Resource Definitions, SC33-1684.<br />
Tip: DFH0CXCC calls the <strong>CICS</strong> program DFH$AXCS using a generic pipe<br />
(since the APPLICATION variable is set to zero). To properly test connectivity<br />
when using specific pipes with the <strong>CICS</strong> TG for z/OS, we suggest you modify<br />
the source for DFH0CXCC to use the pipe named in your <strong>CICS</strong> TG<br />
DFHJVPIPE variable and test using this specific pipe. In our example, we<br />
changed it to SCSCTG5.<br />
CEDF<br />
We found it useful to use the <strong>CICS</strong> execution diagnostic facility in our tests. It is<br />
possible to turn CEDF on in one of two ways when using EXCI requests:<br />
CEDF CTG5 This causes all incoming transaction attaches on the connection<br />
named CTG5 to be suspended and debugged by the <strong>CICS</strong><br />
execution diagnostic facility program, DFHEDFP, on the terminal<br />
in use.<br />
CEDX CSMI This causes all transaction attaches for the CSMI transaction to<br />
be suspended and debugged by the <strong>CICS</strong> execution diagnostic<br />
facility program, DFHEDFP, on the terminal in use.<br />
Note that use of the CEDF or CEDX causes all transactions using the named<br />
connection or transaction to be suspended, so use with care and remember to<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 75
76 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
switch it off when you are finished debugging. To turn off CEDX for the CSMI<br />
transaction, use the syntax CEDX CSMI,OFF.<br />
Connection status<br />
When diagnosing errors in EXCI, it is best to check first that the <strong>CICS</strong> resources<br />
are open and available. <strong>The</strong> following transactions can be used to verify this.<br />
Verify IRC<br />
<strong>The</strong> first check should usually be to view the status of IRC, which must be open<br />
for EXCI to function. Issue the command CEMT INQ IRC. <strong>The</strong> output is shown in<br />
Figure 4-4.<br />
INQ IRC<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Irc Ope<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 19.28.44 DATE: 05.28.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 4-4 Displaying the IRC status in <strong>CICS</strong>
View the connection definition<br />
To view the status of all connections, issue the command CEMT INQ CONN. <strong>The</strong><br />
output is shown in Figure 4-5.<br />
INQ CONN<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Con(CTG5) Net(SCSCTG5 ) Ins Irc Exci<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 19.22.54 DATE: 05.28.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 4-5 Displaying connections in <strong>CICS</strong><br />
<strong>The</strong> inquiry of connection definitions is useful because it displays all the defined<br />
connections and also the netnames for each connection. <strong>The</strong> status of all EXCI<br />
connections should be Ins, although this does not mean any sessions are<br />
acquired.<br />
View status of EXCI pipes<br />
To display the individual status of each session, we entered the command:<br />
CEMT INQ NETNAME(SCSCTG5)<br />
where SCSCTG5 is the netname for our connection (as defined in our DFHJVPIPE<br />
variable). <strong>The</strong> output is shown in Figure 4-6 on page 78.<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 77
78 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
INQ NETNAME(SCSCTG5)<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Net(SCSCTG5 ) Tra(CSMI) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C51 ) Tas(0001608) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C52 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C53 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C54 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C55 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C56 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C57 ) Rem(CTG5)<br />
Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C58 ) Rem(CTG5)<br />
+ Net(SCSCTG5 ) Pri( 000 ) Aut Ins Ati Tti Ses<br />
Ter(C59 ) Rem(CTG5)<br />
SYSID=PJA2 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 00.59.01 DATE: 06.17.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 4-6 Displaying netnames<br />
<strong>The</strong> status of Ins for each session indicates the status of each pipe. <strong>The</strong><br />
transaction that CSMI displayed for the first session, C51, indicates that an EXCI<br />
request is currently active on that given session (we achieved this result by<br />
suspending the CSMI mirror task by using CEDF). <strong>The</strong> number of sessions in the<br />
display is a useful indicator of the number of sessions defined in the EXCI<br />
connection. In our example we had defined a RECEIVECOUNT of 10 in our<br />
SESSIONS definition, and a RECEIVEPFX of C5, so CEMT INQ NETNAME<br />
displayed 10 sessions named C51 to C510.
View status of EXCI calls<br />
To view the status of active EXCI calls, issue the command CEMT INQ EXCI. <strong>The</strong><br />
results are shown in Figure 4-7.<br />
INQ EXCI<br />
STATUS: RESULTS<br />
Exc(SCSCTG55.*OMVSEX. - SC66 ) Tas(0001608)<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 19.30.26 DATE: 05.28.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 4-7 Displaying an EXCI connection<br />
<strong>The</strong> results in Figure 4-7 show that there is currently an EXCI request active<br />
(task 1608) associated with the region SCSCTG55, which is one of the<br />
processes used by our <strong>CICS</strong> TG, SCSCTG5.<br />
XCF group membership<br />
An important consideration when the <strong>CICS</strong> TG is used with the EXCI is the<br />
usage of slots in the DFHIR000 XCF (cross-system coupling facility) group in the<br />
sysplex couple data set. This XCF group is used by <strong>CICS</strong> when two address<br />
spaces on different LPARs communicate by means of MRO or EXCI. <strong>The</strong><br />
maximum possible limit for group membership is 1023 members per group (it<br />
was raised from 511 by APAR OW21511), but the actual limit is defined in the<br />
MAXMEMBER parameter when the couple data set is formatted. To display this<br />
limit, the MVS command /D XCF,COUPLE can be used. <strong>The</strong> output of this<br />
command when we moved our <strong>Gateway</strong> region SCSCTG5 to another LPAR in<br />
our sysplex is shown in Example 4-2. You can see that all the <strong>CICS</strong> regions in our<br />
sysplex are listed as individual members (such as SCSCPJA1), but our <strong>Gateway</strong><br />
region has a member named for the thread under which the EXCI is running<br />
(T02CEF40SC66), and not for the <strong>Gateway</strong> address space.<br />
Example 4-2 Displaying XCF connections<br />
IXC332I 13.47.38 DISPLAY XCF 105<br />
GROUP DFHIR000: SCSCCOB1 SCSCERW1 SCSCERW2<br />
SCSCERW3 SCSCLSA5 SCSCPAAS<br />
SCSCPAAY SCSCPAA2 SCSCPAA6<br />
SCSCPAGV SCSCPAME SCSCPJA1<br />
SCSCPJA2 SCSCPJA4 T02CEF40SC66<br />
Chapter 4. EXCI connections to <strong>CICS</strong> 79
4.4.2 Tracing<br />
80 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
EXCI outputs trace to an internal trace table and an external MVS GTF data set.<br />
<strong>The</strong> internal trace table resides in the non-<strong>CICS</strong> MVS batch region. EXCI<br />
maintains a separate trace table for each user task control block (TCB) in an<br />
EXCI application program. Trace data is formatted and included in any dumps<br />
EXCI produced. <strong>The</strong> trace entries are listed in the manual <strong>CICS</strong> Trace Entries,<br />
SC34-5446.<br />
EXCI produces MVS SYSM dumps for some error conditions and MVS SDUMPs<br />
for more serious conditions. <strong>The</strong>se dumps contain all the external <strong>CICS</strong> interface<br />
control blocks as well as trace entries. You can use the MVS interactive problem<br />
control system (IPCS) to format these dumps. For details on using IPCS, refer to<br />
<strong>CICS</strong> Operations and Utilities Guide, SC33-1685.<br />
To use GTF for EXCI tracing, GTF user tracing must be active, GTF must be<br />
started in the MVS image, and you must specify GTF=ON in the DFHXCOPT<br />
options table. If you use GTF trace for both the <strong>CICS</strong> server region and the EXCI<br />
region, the trace entries are interleaved, which can help you with problem<br />
determination in the <strong>CICS</strong>-EXCI environment. <strong>The</strong> external <strong>CICS</strong> interface does<br />
not support any form of auxiliary trace. Actual examples of how to use EXCI<br />
tracing are provided in 7.4.2, “Tracing” on page 170.<br />
<strong>Gateway</strong> trace<br />
When using the <strong>CICS</strong> TG for z/OS, there are essentially four different types of<br />
tracing you can use: EXCI tracing, normal <strong>Gateway</strong> trace, extended <strong>Gateway</strong><br />
trace, and <strong>Gateway</strong> JNI trace. We found the most useful traces were the normal<br />
<strong>Gateway</strong> trace, which provides a quick snapshot view of an ECI request, and JNI<br />
trace, which provides return codes for all the EXCI calls. Actual examples of how<br />
we used each of these are explained in detail in 7.4.2, “Tracing” on page 170.
5<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong><br />
In this chapter, we describe how we configured a TCP/IP connection from the<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) on Windows 2000 to our <strong>CICS</strong><br />
<strong>Transaction</strong> Server (<strong>CICS</strong> TS) V2.2 region. We show only Windows 2000, but<br />
these steps can be used to configure all the platforms except z/OS, since there<br />
are no major differences. Our configuration is illustrated in Figure 5-2 on<br />
page 83.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 81
5.1 Introduction to ECI over TCP/IP<br />
82 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
ECI over TCP/IP is a communications mechanism that provides the ability to<br />
connect from the <strong>CICS</strong> TG to a <strong>CICS</strong> TS region over an IP network. It utilizes the<br />
support for ECI over TCP/IP in <strong>CICS</strong> TS V2.2 to send <strong>CICS</strong> Universal Client or<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> ECI requests over an IP network.<br />
Figure 5-1 shows the various types of ECI connections currently supported by<br />
<strong>CICS</strong>. A SNA connection can be made via VTAM into <strong>CICS</strong>. Compared to SNA,<br />
TCP/IP configuration is more straightforward and can be flowed over an IP<br />
network. In order to flow APPC over an IP network, a client uses TCP62 to<br />
communicate with AnyNet, which performs protocol conversion and then<br />
communicates with <strong>CICS</strong> via VTAM. TCP/IP does not incur the protocol<br />
conversion overhead of TCP62 and again is more straightforward to configure, as<br />
neither AnyNet nor VTAM is required.<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> TG<br />
SNA<br />
TCP62<br />
TCP/IP<br />
z/OS<br />
AnyNet<br />
TCP/IP<br />
Figure 5-1 Overview of ECI connection types<br />
VTAM<br />
Terminal<br />
control<br />
<strong>CICS</strong> TS<br />
region<br />
Sockets<br />
domain<br />
In Figure 5-2 on page 83 we illustrate an overview of the TCP/IP environment<br />
that we configure in this chapter.
Windows 2000<br />
CTG<br />
TCP/IP<br />
Figure 5-2 <strong>CICS</strong> TG TCP/IP configuration<br />
5.1.1 Software checklist<br />
We used the levels of software shown in Table 5-1.<br />
Table 5-1 Software levels, EXCI<br />
IP network<br />
ECI over TCP/IP<br />
z/OS<br />
<strong>CICS</strong> TS<br />
(SCSCPJA1)<br />
TCP/IP<br />
volga.almaden.ibm.com wtsc66.itso.ibm.com<br />
9.1.38.39<br />
9.12.6.6<br />
Client workstation z/OS<br />
Windows 2000 Service Pack 2 z/OS V1.2<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for Windows <strong>V5</strong>.0 <strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
<strong>IBM</strong> Java Development Kit V1.3.0<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 83
5.1.2 Definitions checklist<br />
84 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> definitions we used to configure this scenario are summarized in Table 5-2.<br />
Before you configure the products, we recommend that you decide on definitions<br />
for each parameter listed. Reference keys shown in the Key column are assigned<br />
to definitions that should contain the same value in more than one product. <strong>The</strong><br />
Example column shows the values we used in our configuration.<br />
Table 5-2 Definitions checklist for ECI over TCP/IP<br />
Key Communications<br />
Server for z/OS<br />
In addition, we also had to deploy our <strong>CICS</strong> COBOL application EC01 and<br />
configure a DFHCNV data conversion template in <strong>CICS</strong> for use by this program.<br />
Refer to Appendix A, “DFHCNV and <strong>CICS</strong> data conversion” on page 329 for<br />
more details.<br />
5.2 TCP/IP definitions for <strong>CICS</strong><br />
<strong>CICS</strong> region <strong>CICS</strong> TG<br />
server<br />
definition<br />
Example<br />
1 hostname hostname wtsc66.itso.ibm.com<br />
2 PORT port 8018<br />
APPLID SCSCPJA1<br />
TCPIPSERVICE PJA1TCP<br />
GROUP PJA1GRP<br />
To configure a <strong>CICS</strong> TCP/IP listener to handle ECI requests, we first had to<br />
confirm the following definitions were installed into <strong>CICS</strong>:<br />
► SIT parameter: TCPIP=YES<br />
► <strong>CICS</strong>-supplied Transient Date queue CIEO, in group DFHDCTG<br />
► <strong>Transaction</strong> CIEP in group DFHIPECI<br />
► Program DFHIEP in group DFHIPECI<br />
All of these definitions are included in the list DFHLIST and so were activated in<br />
our <strong>CICS</strong> region. <strong>The</strong> SIT parameter ISC=YES is not required for operation of<br />
ECI over TCP/IP.
z/OS TCP/IP definitions<br />
<strong>The</strong> TCP/IP address and host name (1) for the z/OS system are defined by<br />
default in the PROFILE.TCPIP and TCPIP.DATA data sets. In our configuration<br />
the data set was TCPIPMVS.SC66.TCPPARMS and it has members TCPPROF<br />
and TCPDATA. <strong>The</strong>se members have a lot of information, but we are only<br />
interested in the HOSTNAME, and DOMAINNAMEORIGIN parameters in the<br />
TCPDATA member and the HOME parameter in the TCPPROF member. In our<br />
configuration, these parameters were as follows:<br />
HOSTNAME wtsc66 is the host name of our z/OS system<br />
DOMAINNAMEORIGIN itso.ibm.com is the domain name<br />
HOME 9.12.6.6 is the TCP/IP address<br />
Tip: You can also use the TSO command HOMETEST to verify the IP<br />
configuration on your z/OS system.<br />
<strong>CICS</strong> TCP/IP listener<br />
In order to add a TCP/IP listener to <strong>CICS</strong>, we defined a TCPIPSERVICE called<br />
PJA1TCP in the group PJA1GRP. PJA1GRP was in the startup GRPLIST for our<br />
<strong>CICS</strong> region, so the listener will start when <strong>CICS</strong> is started. We used the<br />
following command from a <strong>CICS</strong> terminal to define the listener (see Figure 5-3).<br />
CEDA DEF TCPIPSERVICE(PJA1TCP) GROUP(PJA1GRP)<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA DEFine TCpipservice( PJA1TCP )<br />
TCpipservice : PJA1TCP<br />
GROup : PJA1GRP<br />
Urm ==><br />
POrtnumber ==> 08018 1-65535<br />
STatus ==> Open Open | Closed<br />
PRotocol ==> Eci Iiop | Http | Eci<br />
TRansaction ==> CIEP<br />
Backlog ==> 00100 0-32767<br />
Ipaddress ==> ANY<br />
SOcketclose ==> No No | 0-240000 (HHMMSS)<br />
SECURITY<br />
SSl ==> No Yes | No | Clientauth<br />
Certificate ==><br />
AUthenticate ==> No | Basic | Certificate | AUTORegister<br />
ATtachsec ==> Local Local | Verify<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
DEFINE SUCCESSFUL TIME: 15.30.02 DATE: 02.183<br />
Figure 5-3 ECI over TCP/IP TCPIPSERVICE definition<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 85
86 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> fields relevant to ECI on the TCPIPSERVICE definition are as follows:<br />
PORTNUMBER 2 <strong>The</strong> port on which the TCP/IP service listens.<br />
PROTOCOL <strong>The</strong> protocol of the service. This should be ECI.<br />
TRANSACTION <strong>The</strong> transaction that is run on <strong>CICS</strong> to handle the<br />
incoming ECI requests. This is CIEP for ECI.<br />
BACKLOG <strong>The</strong> number of TCP/IP connections that are queued in<br />
TCP/IP before TCP/IP starts to reject incoming requests.<br />
We set this to 100.<br />
IPADDRESS <strong>The</strong> dotted decimal IP address on which the<br />
TCPIPSERVICE listens. Since we had two IP stacks, we<br />
specified ANY so that the <strong>CICS</strong> TCP/IP listener would<br />
listen on both addresses.<br />
SOCKETCLOSE Specifies if, and for how long, <strong>CICS</strong> should wait before<br />
closing the socket, after issuing a receive for incoming<br />
data on that socket. For ECI connections, we recommend<br />
NO. This will ensure that the connection from the Client<br />
daemon always remains open.<br />
ATTACHSEC Specifies the level of attach-time security required for<br />
TCP/IP connections to <strong>CICS</strong> Clients. For testing<br />
purposes, we specified LOCAL, which means that <strong>CICS</strong><br />
does not require a user ID or password from clients.<br />
We installed our TCPIPSERVICE definition using the command:<br />
CEDA INS TCPIPSERVICE(PJA1TCP) GROUP(PJA1GRP).<br />
We used the command CEMT I TCPIPS to display the active service (Figure 5-4).<br />
I TCPIPS<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Tcpips(PJA1TCP ) Bac( 00128 ) Con(0003) Por(08018) Eci Nos<br />
Ope Tra(CIEP) Ipa(9.12.6.29 ) Wai<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
RESPONSE: NORMAL TIME: 15.44.37 DATE: 07.02.02<br />
PF 1 HELP 3 END 5 VAR 7 SBH 8 SFH 9 MSG 10 SB 11 SF<br />
Figure 5-4 TCP/IP listener status
5.3 TCP/IP definitions for the <strong>CICS</strong> TG<br />
We used the Configuration Tool to define the settings for TCP/IP communication.<br />
<strong>The</strong> Configuration Tool generates the CTG.INI file, which is located in the \bin<br />
subdirectory. This file is read by the Client daemon when started and used to<br />
establish a connection to a <strong>CICS</strong> Server. We defined the parameters as shown in<br />
Figure 5-5.<br />
Figure 5-5 TCP/IP server definition in the Configuration Tool<br />
Server name An arbitrary name for your <strong>CICS</strong> server connection. We<br />
specified the region name SCSCPJA1.<br />
Description An arbitrary description for the <strong>CICS</strong> server.<br />
Network protocol <strong>The</strong> protocol for communication with the <strong>CICS</strong> server, in<br />
our example, TCP/IP.<br />
Hostname 1 <strong>The</strong> host name of the z/OS system on which our <strong>CICS</strong><br />
server is listening, in our case wtsc66.itso.ibm.com.<br />
Port 2 <strong>The</strong> port on which our ECI over TCP/IP service is<br />
listening, in our case port 8018.<br />
This creates the lines shown in Example 5-1 on page 88 in the CTG.INI file.<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 87
88 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Example 5-1 Client daemon server definition in CTG.INI<br />
SECTION SERVER = SCSCPJA1<br />
DESCRIPTION=<strong>CICS</strong> TS 2.2 at SC66<br />
UPPERCASESECURITY=Y<br />
USENPI=N<br />
PROTOCOL=TCPIP<br />
NETNAME=wtsc66.itso.ibm.com<br />
PORT=8018<br />
CONNECTTIMEOUT=0<br />
TCPKEEPALIVE=Y<br />
ENDSECTION<br />
Testing the configuration<br />
To test our configuration we used the <strong>CICS</strong> TG sample VBScript application<br />
ecib1.vbs. This is installed in the <strong>CICS</strong> TG /samples/vb/script subdirectory.<br />
Because the sample is a script, no compilation is necessary. <strong>The</strong> script can be<br />
run directly from any Windows 2000 workstation using the built-in Windows<br />
Script Host support. To execute, just double-click the script file on the Windows<br />
desktop, or type the name of the script file at the command prompt. <strong>The</strong><br />
application flows an ECI request to a connected <strong>CICS</strong> region through a specified<br />
server connection using the Client daemon and invokes the transaction EC01<br />
(Figure 5-6). <strong>The</strong> <strong>CICS</strong> region is selected from a window.<br />
Windows 2000<br />
CTG <strong>V5</strong>.0<br />
ecib1.vbs<br />
Client<br />
daemon<br />
ECI Request<br />
TCP/IP<br />
Figure 5-6 TCP/IP connection to <strong>CICS</strong> testing overview<br />
TCPIP<br />
service<br />
z/OS<br />
<strong>CICS</strong> TS V2.2<br />
Region<br />
SCSCPJA1<br />
EC01<br />
program<br />
After we installed and configured the software components illustrated in<br />
Figure 5-6, we tested our configuration as follows:
1. We checked basic IP connectivity from our Windows workstation to the z/OS<br />
system using the ping command from a Windows 2000 prompt. As shown in<br />
Example 5-2, we successfully received a reply from z/OS.<br />
Example 5-2 Output from the ping command on Windows<br />
C:\>ping wtsc66.itso.ibm.com<br />
Pinging wtsc66.itso.ibm.com [9.12.6.6] with 32 bytes of data:<br />
Reply from 9.12.6.6: bytes=32 time=130ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
Reply from 9.12.6.6: bytes=32 time=120ms TTL=52<br />
Ping statistics for 9.12.6.6:<br />
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />
Approximate round trip times in milli-seconds:<br />
Minimum = 120ms, Maximum = 130ms, Average = 122ms<br />
2. We started the <strong>CICS</strong> region SCSCPJA1 on z/OS.<br />
3. Using the ScanPort utility, we then checked that <strong>CICS</strong> was listening on the<br />
TCP/IP port configured in the <strong>CICS</strong> TG server connection definition. See<br />
page 52 in Chapter 3 for more details on how we used the ScanPort utility.<br />
4. We started the <strong>CICS</strong> TG connection to the <strong>CICS</strong> region using the command<br />
<strong>CICS</strong>CLI /S=SCSCPJA1. (SCSCPJA1 is the Server name given in the Client<br />
configuration step in Figure 5-5 on page 87.)<br />
5. We checked the status of the connection to the <strong>CICS</strong> region using the<br />
command <strong>CICS</strong>CLI /L. <strong>The</strong> connection status is available, as shown in<br />
Example 5-3.<br />
Example 5-3 Checking Client daemon connection status<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994, 2002. All rights reserved.<br />
CCL8041I <strong>The</strong> <strong>CICS</strong> Client is using the following servers:<br />
CCL8042I Server 'SCSCPJA1' (using 'TCPIP' to 'wtsc66.itso.ibm.com') is<br />
available<br />
6. We launched the ecib1.vbs test application. This showed the window in<br />
Figure 5-7 on page 90, which displays the server connections defined to the<br />
Client daemon. We entered 1 to select SCSCPJA1 and clicked OK.<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 89
90 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 5-7 ecib1.vbs server selection window<br />
7. We clicked OK on the window that appeared asking for a user name and<br />
password, since SCSCPJA1 did not require a user ID.<br />
<strong>The</strong> application then sent an ECI request to our <strong>CICS</strong> region and displayed the<br />
data returned in the COMMAREA from EC01 in the window shown in Figure 5-8.<br />
Figure 5-8 ecib1.vbs results<br />
5.4 Problem determination<br />
5.4.1 Tips and utilities<br />
In this section, we document information we learned while configuring this<br />
scenario, as well as further information on problem determination and tracing.<br />
In this section, you will find useful commands and utilities for debugging any<br />
problems with your configuration. You will also find some additional information<br />
about topics discussed in this chapter.<br />
Client daemon TCP/IP<br />
For problem determination at the client side, it is best to check the <strong>CICS</strong>CLI.LOG<br />
file under the <strong>CICS</strong> TG bin directory for error messages. If this does not give<br />
enough information, you should start the connection with trace.
<strong>CICS</strong> TS<br />
For problem determination with TCP/IP connections into <strong>CICS</strong> TS, you should<br />
refer to the following logs:<br />
► z/OS system log (SDSF.LOG) for TCP/IP information messages<br />
► <strong>CICS</strong> console and CSMT logs for <strong>CICS</strong> messages<br />
Windows TCP/IP status<br />
To check the status of TCP/IP as used by the Client daemon on the workstation,<br />
you can issue the netstat /a /n command to view socket usage as shown in<br />
Example 5-4.<br />
Example 5-4 Client side netstat information<br />
C:\>netstat /a /n<br />
Active Connections<br />
Proto Local Address Foreign Address State<br />
TCP 9.1.38.39:1142 9.12.6.29:23 ESTABLISHED<br />
TCP 9.1.38.39:1202 9.12.6.6:8018 ESTABLISHED<br />
TCP 9.1.38.39:1148 9.12.6.6:23 ESTABLISHED<br />
TCP 9.1.38.39:1323 9.17.186.68:1533 ESTABLISHED<br />
This shows that the Client daemon is using the TCP port 1202 on our workstation<br />
(9.1.38.39), and that a session is established using a TCP connection with the<br />
z/OS system (9.12.6.6).<br />
z/OS TCP/IP status<br />
<strong>The</strong> D TCPIP command issued from SDSF displays the status of TCP/IP on the<br />
z/OS system as shown in Example 5-5.<br />
Example 5-5 Status of TCP/IP<br />
D TCPIP<br />
RESPONSE=SC66<br />
EZAOP50I TCPIP STATUS REPORT 513<br />
COUNT TCPIP NAME VERSION STATUS<br />
----- ---------- -------- ------------------------<br />
1 TCPIPOE CS V1R2 ACTIVE<br />
2 TCPIPMVS CS V1R2 ACTIVE<br />
*** END TCPIP STATUS REPORT ***<br />
EZAOP41I 'DISPLAY TCPIP' COMMAND COMPLETED SUCCESSFULLY<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 91
92 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In our example, we were using the TCP/IP stack TCPIPMVS on our z/OS<br />
system. However, because we specified ALL for the IPADDRESS of our<br />
TCPIPSERVICE, our <strong>CICS</strong> region is listening on both TCP/IP stacks.<br />
To display the TCP/IP sockets in use by <strong>CICS</strong>, you can use the TSO NETSTAT<br />
command as shown in Example 5-6. This will give you similar information that<br />
you got from the client side. <strong>The</strong> output shows our <strong>CICS</strong> region listening on port<br />
8018.<br />
Example 5-6 MVS NETSTAT<br />
EZZ2350I MVS TCP/IP NETSTAT CS V1R2 TCPIP NAME: TCPIPMVS 18:25:59<br />
EZZ2585I User Id Conn Local Socket Foreign Socket State<br />
EZZ2586I ------- ---- ------------ -------------- -----<br />
EZZ2587I SCSCPJA1 000085F2 0.0.0.0..8011 0.0.0.0..0 Listen<br />
EZZ2587I SCSCPJA1 000085F4 0.0.0.0..8018 0.0.0.0..0 Listen<br />
EZZ2587I SCSCPJA1 000085F0 0.0.0.0..8010 0.0.0.0..0 Listen<br />
To display the TCP/IP sockets in use by <strong>CICS</strong> on the TCP/IP stack TCPIPOE,<br />
you can use the OMVS command netstat /a as shown in Example 5-7. <strong>The</strong><br />
output shows our <strong>CICS</strong> region listening on port 8018 on the TCPIPOE stack.<br />
Example 5-7 OMVS netstat<br />
MVS TCP/IP onetstat CS V1R2 TCPIP Name: TCPIPOE 14:48:01<br />
User Id Conn Local Socket Foreign Socket State<br />
------- ---- ------------ -------------- -----<br />
PMAPOE1 00000037 0.0.0.0..111 0.0.0.0..0 Listen<br />
SCSCPJA1 00000B09 0.0.0.0..8078 0.0.0.0..0 Listen<br />
SCSCPJA1 00000D90 0.0.0.0..8018 0.0.0.0..0 Listen<br />
SCSCPJA1 00000B03 0.0.0.0..8010 0.0.0.0..0 Listen<br />
Traceroute<br />
If the ping command fails to reach a host, then the tracert command can be<br />
used to discover more about the problem. Like ping, tracert tests connectivity<br />
between two network hosts; however, tracert lists each router in the network<br />
between the machine running the command and the destination host.<br />
Sometimes an inability to contact a host is due to one of these routers not<br />
forwarding IP traffic, so tracert can be used to discover which router is<br />
preventing a connection to a remote host.<br />
In Example 5-8 on page 93 we traced the route from our Windows workstation to<br />
our z/OS system using the command tracert wtsc66.itso.ibm.com from a<br />
Windows command prompt.
Example 5-8 tracert command<br />
C:\>tracert wtsc66.itso.ibm.com<br />
Tracing route to wtsc66.itso.ibm.com [9.12.6.6]<br />
over a maximum of 30 hops:<br />
1
94 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
MAXSOCKETS SIT parameter<br />
<strong>The</strong> SIT parameter MAXSOCKETS controls the maximum number of sockets<br />
that may be managed in a <strong>CICS</strong> region. This is set as follows:<br />
► If the user ID that <strong>CICS</strong> is running under has superuser authority, then the<br />
default value is 65535.<br />
► If not, the default is the value of the MAXFILEPROC parameter specified in<br />
SYS1.PARMLIB member BPXPRMxx.<br />
Note that sockets created by Java programs running on threads that are not<br />
managed by <strong>CICS</strong> do not count towards the limit.<br />
<strong>The</strong> MAXSOCKETS value can be seen using the <strong>CICS</strong> command CEMT I TCPIP<br />
(see Figure 5-9). <strong>The</strong> MAX field shows the maximum number of sockets, and the<br />
ACT field shows how many sockets are active on the region. <strong>The</strong> value of<br />
MAXSOCKETS can also be changed using CEMT.<br />
I TCPIP<br />
STATUS: RESULTS - OVERTYPE TO MODIFY<br />
Tcp Ope Act(00006) Max( 00255 )<br />
Figure 5-9 CEMT showing MAXSOCKETS<br />
SYSID=PJA1 APPLID=SCSCPJA1<br />
<strong>CICS</strong> statistics<br />
It is possible to obtain statistics from <strong>CICS</strong> about TCP/IP and ECI over TCP/IP.<br />
This is done with the <strong>CICS</strong> Statistics Print sample program. To use this, we<br />
performed the following steps:<br />
1. We installed the group DFH$STAT with the <strong>CICS</strong> command CEDA INS<br />
G(DFH$STAT).<br />
2. We ran the statistics print transaction with the <strong>CICS</strong> command STAT.<br />
3. We pressed PF4. This displayed the Report Selection screen.<br />
4. We selected the <strong>CICS</strong> functions TCP/IP and TCP/IP Services, as shown in<br />
Figure 5-10 on page 95.
Figure 5-10 STAT report selection screen<br />
5. We pressed PF3. <strong>The</strong> main panel was displayed. We pressed PF5 to print the<br />
statistics to the <strong>CICS</strong> log.<br />
<strong>The</strong> DDNAME of the statistics print output under SDSF was S0000001. A<br />
summary of the statistics output is shown in Example 5-10.<br />
Example 5-10 Partial <strong>CICS</strong> statistics<br />
System Status<br />
_____________<br />
Max IP Sockets. . . . . . . . . . : 255<br />
Active IP Sockets.. . . . . . . . : 6<br />
TCP/IP Services<br />
_______________<br />
Sample Program - <strong>CICS</strong> Statistics Print Report Selection<br />
07/03/2002 15:00:08<br />
Select the statistics reports required and press 'Enter' to validate<br />
System Status. . . . . . . . . . . Y Page Index . . . . . . . . . . . . N<br />
<strong>Transaction</strong> Manager. . . . . . . . N Dispatcher . . . . . . . . . . . . N<br />
Storage Manager. . . . . . . . . . N<br />
Loader . . . . . . . . . . . . . . N Storage Subpools . . . . . . . . . N<br />
<strong>Transaction</strong>s . . . . . . . . . . . N <strong>Transaction</strong> Classes. . . . . . . . N<br />
Programs . . . . . . . . . . . . . N<br />
Programs by DSA and LPA. . . . . . N DFHRPL Analysis. . . . . . . . . . N<br />
Transient Data . . . . . . . . . . N Transient Data Queues. . . . . . . N<br />
Temporary Storage. . . . . . . . . N Temporary Storage Models . . . . . N<br />
Temporary Storage Queues . . . . . N Temporary Storage Queues by Pool . N<br />
Logstream Global (System Logs) . . N<br />
Journals . . . . . . . . . . . . . N Logstreams . . . . . . . . . . . . N<br />
Files. . . . . . . . . . . . . . . N Data Set Names . . . . . . . . . . N<br />
LSR Pools. . . . . . . . . . . . . N Coupling Fcty Data Table Pools . . N<br />
TCP/IP . . . . . . . . . . . . . . Y TCP/IP Services. . . . . . . . . . Y<br />
Report selections are valid.<br />
Return to the Statistics Print screen to print the selected reports.<br />
F1=Help F3=Return to Print F8=Forward F10=Save F12=Restore<br />
TCP/IP Service Port<br />
Service Status Number Protocol Backlog IP Address<br />
___________________________________________________________<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 95
96 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
PJA1 OPEN 8010 IIOP 5 9.12.6.29<br />
PJA1RMEB OPEN 8011 HTTP 5 9.12.6.29<br />
PJA1TCP OPEN 8018 ECI 128 9.12.6.29<br />
TCP/IP Attach<br />
Service SSL Authenticate Security Tran URM<br />
___________________________________________________________<br />
PJA1 None None CIRR<br />
PJA1RMEB None None CWXN DFHWBADX<br />
PJA1TCP None None Local CIEP<br />
TCP/IP Services - Requests<br />
__________________________<br />
TCP/IP Service Open Open <br />
Service Status Date Time Current Peak<br />
______________________________________________________________<br />
PJA1 OPEN 07/03/2002 13:31:07 0 0<br />
PJA1RMEB OPEN 07/03/2002 13:31:07 0 0<br />
PJA1TCP OPEN 07/03/2002 13:31:08 2 2<br />
TCP/IP Trans Send Avg Bytes Receive Avg Bytes<br />
Service Attached Requests / Send Requests / Receive<br />
_____________________________________________________________________<br />
PJA1 0 0 0 0 0<br />
PJA1RMEB 0 0 0 0 0<br />
PJA1TCP 2 4 47 12 29<br />
As shown, the maximum IP sockets is 255. Details of the TCP/IP listener are<br />
given, including port number, backlog, attach security, and transaction. Details of<br />
requests made to our TCP/IP listener are also given, including when the listener<br />
was open, bytes sent, and requests received.<br />
Common errors<br />
If you experience problems connecting to <strong>CICS</strong>, check for the following message<br />
in the <strong>CICS</strong> log:<br />
DFHIE1203 07/03/2002 14:20:20 SCSCPJA1 9.1.39.10 PJA1TCP EPI request<br />
attempted by TCP/IP connected client.<br />
<strong>The</strong> corresponding message in the Client daemon log is:<br />
07/03/02 11:18:55.268 [3113] CCL:CCL3102 Inbound GDS data error (000C, 0,<br />
12)
5.4.2 Tracing<br />
This occurs if an EPI request is flowed to the TCP/IP listener, for example by<br />
trying to use cicsterm against the <strong>CICS</strong> region, since <strong>CICS</strong> TS V2.2 only<br />
supports ECI over TCP/IP.<br />
For further details on how to use the trace facilities provided with the Client<br />
daemon, refer to 3.5.2, “Tracing” on page 61.<br />
<strong>CICS</strong> trace<br />
<strong>The</strong> <strong>CICS</strong> IE domain provides ECI specific services and also the following:<br />
► New trace levels IE = 1 or 2<br />
► New dump parameters IE = 1, 2 or 3<br />
To enable or change IE tracing, use the <strong>CICS</strong>-supplied transaction CETR.<br />
eNetwork Communication Server TCP/IP Packet Trace<br />
<strong>The</strong> eNetwork Communication Server TCP/IP Packet Trace can be used to trace<br />
the data being flowed into and out of a <strong>CICS</strong> region, for data conversion or other<br />
diagnosis. For information about TCP/IP Packet Trace, refer to OS/390 eNetwork<br />
Communication Server IP Diagnosis Guide, SC31-8521.<br />
Chapter 5. TCP/IP connections to <strong>CICS</strong> 97
98 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
6<br />
Chapter 6. <strong>CICS</strong> TG security scenarios<br />
In this chapter, we describe how to use and implement <strong>CICS</strong>-RACF security<br />
when using the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG).<br />
We start with a brief overview of <strong>CICS</strong> security and then move on to document a<br />
set of end-to-end security scenarios to show you how we secured the following<br />
scenarios:<br />
► ECI request to <strong>CICS</strong> using the <strong>CICS</strong> TG for z/OS<br />
► ECI request to <strong>CICS</strong> using the <strong>CICS</strong> TG for Windows<br />
► EPI request to <strong>CICS</strong> using the <strong>CICS</strong> TG for Windows<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 99
6.1 Introduction to <strong>CICS</strong> security<br />
100 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>CICS</strong> uses the z/OS System Authorization Facility (SAF) to route authorization<br />
requests to an external security manager (ESM) to perform all its security<br />
checks. Any suitable ESM could be used, but as <strong>IBM</strong>’s RACF product is the most<br />
commonly used, the remainder of this book will refer to RACF. For complete<br />
information about <strong>CICS</strong> security, refer to the <strong>CICS</strong> RACF Security Guide,<br />
SC33-1701.<br />
Every <strong>CICS</strong> region requires certain special user IDs to be established, and also<br />
uses certain user ID when receiving inbound requests from other systems.<br />
<strong>The</strong>se user IDs are as follows:<br />
Region user ID This is the user ID under which the <strong>CICS</strong> job itself runs, and<br />
is a powerful user ID.<br />
Default user ID This is used when users do not explicitly sign on, and should<br />
be given very low authorization. It is specified in the SIT<br />
parameter DFLTUSER.<br />
Flowed user ID This is any user ID that is flowed in an ISC or MRO request,<br />
and includes user IDs flowed in ECI and EPI requests from<br />
Java applications.<br />
Link user ID This is a user ID defined on CONNECTION or SESSIONS<br />
definition. It is used in link security and to determine if<br />
connected systems are equivalent.<br />
Authentication of <strong>CICS</strong> users is the responsibility of RACF. Once authenticated,<br />
the user can pass through transaction security, resource security, command<br />
security, surrogate security, and, if the request is forwarded to another <strong>CICS</strong><br />
region, intercommunication security. <strong>The</strong>se are briefly explained in the following<br />
text.<br />
<strong>Transaction</strong> security<br />
<strong>CICS</strong> uses transaction security to control a user’s permission to start a<br />
transaction. <strong>CICS</strong> performs a transaction security check even if no user has<br />
signed on. Users who do not sign on can use only those transactions that are<br />
authorized to the <strong>CICS</strong> default user ID. Usually this ID is very limited in what it<br />
has access to.<br />
Resource security<br />
<strong>CICS</strong> provides a further (optional) level of security by controlling access to<br />
individual resources, which include programs, files, and started transactions.<br />
<strong>The</strong>re are no special implications for resource security with the <strong>CICS</strong> TG and so<br />
this subject is not addressed any further in this chapter.
Surrogate user security<br />
<strong>CICS</strong> performs surrogate user security checking in a number of instances to<br />
ensure that the authenticated user is authorized to act for another user. It can<br />
also be used by the <strong>CICS</strong> TG itself to ensure that the started task user ID is<br />
authorized to initiate work on behalf of the user ID flowed in an ECI request.<br />
Intercommunication security<br />
Intercommunication security in <strong>CICS</strong> is concerned with incoming requests for<br />
access to <strong>CICS</strong> resources. Requests from the <strong>CICS</strong> TG can arrive via APPC<br />
(ISC) or EXCI (MRO) connections and the two are treated somewhat differently.<br />
<strong>The</strong>re are three fundamentally different intercommunication security checks that<br />
can be performed as follows:<br />
► Bind security<br />
This verifies the system wishing to connect (bind) to <strong>CICS</strong> is authorized to do<br />
so.<br />
► User security (or in LU 6.2 terms, conversation level security)<br />
This causes a check to be made against the flowed user ID when an inbound<br />
requests attaches the requested transaction in <strong>CICS</strong>. This behavior is defined<br />
in the ATTACHSEC parameter on the CONNECTION definition. For MRO or<br />
EXCI requests from the <strong>CICS</strong> TG, this should always be IDENTIFY, meaning<br />
that only the user ID is checked. For APPC (or TCP62) connections from the<br />
<strong>CICS</strong> TG, this should be set to VERIFY, meaning both the user ID and<br />
password are checked. For ECI over TCP/IP connection from the <strong>CICS</strong> TG,<br />
this should be set in the TCPIPSERVICE to VERIFY.<br />
► Link security<br />
This is an additional level of authorization checking that can apply to the<br />
attached transaction. A specific user ID (the link user) is defined on the<br />
connection with the remote system. This user ID must be authorized to have<br />
access to all transactions and resources invoked through this connection.<br />
This concept applies equally to MRO and ISC.<br />
We discuss how each of these apply to security with <strong>CICS</strong> TG in this chapter.<br />
6.2 <strong>CICS</strong> TG security scenarios<br />
In the following sections, we present three security scenarios, as follows:<br />
► An ECI call to a <strong>CICS</strong> program using the <strong>CICS</strong> TG for z/OS and an EXCI<br />
connection to <strong>CICS</strong> (see 6.2.1, “ECI to <strong>CICS</strong> TG for z/OS (EXCI)” on<br />
page 102)<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 101
102 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► An ECI call to a <strong>CICS</strong> program using the <strong>CICS</strong> TG for Windows and a TCP/IP<br />
connection to <strong>CICS</strong> (see 6.2.2, “ECI to <strong>CICS</strong> TG for Windows (TCP/IP)” on<br />
page 112)<br />
► An EPI call to a <strong>CICS</strong> transaction using the <strong>CICS</strong> TG for Windows and a<br />
TCP62 connection to <strong>CICS</strong> (see 6.2.3, “EPI to <strong>CICS</strong> TG for Windows<br />
(TCP62)” on page 115)<br />
<strong>The</strong> aim of each scenario is to allow the user <strong>CICS</strong>RS2 access to the desired<br />
resource but deny the user <strong>CICS</strong>RS5 access to the same resource.<br />
In each example we show you how we configured all the required security<br />
definitions in both the <strong>CICS</strong> TG and <strong>CICS</strong>. We do not detail the basic setup of the<br />
<strong>CICS</strong> TG, since this is detailed in other chapters in the book. To test each<br />
scenario, we use a simple Java test application, either using the supplied<br />
samples (EciB1) or our own samples (SignonCapable and SignonIncapable),<br />
which are supplied with the additional material for this book (see Appendix C,<br />
“Additional material” on page 389).<br />
6.2.1 ECI to <strong>CICS</strong> TG for z/OS (EXCI)<br />
In this example, we show how to secure a <strong>CICS</strong> program that is called from an<br />
ECI application using the <strong>CICS</strong> TG for z/OS (Figure 6-1). To test the scenario we<br />
used the synchronous ECI sample EciB1 sample provided by the <strong>CICS</strong> TG in<br />
CTGSAMPLES.JAR. <strong>The</strong> platform of the Java client in our scenario is not<br />
important for our test purposes and could have equally been any other platform<br />
(such as UNIX System Services or Linux) used in this book.<br />
Windows client<br />
Java<br />
application<br />
EciB1<br />
TCP/IP<br />
SCSCTG4<br />
<strong>Gateway</strong><br />
daemon<br />
Figure 6-1 <strong>CICS</strong> TG for z/OS security test environment<br />
EXCI<br />
z/OS <strong>CICS</strong> TS V2.2<br />
Region<br />
MRO/IRC<br />
user ID<br />
SCSCPJA4<br />
EC01<br />
program<br />
authentication<br />
(user ID +<br />
password)<br />
RACF<br />
authorization
In Table 6-1 we document the user ID and job names used in our configuration.<br />
Table 6-1 Configuration parameters<br />
<strong>CICS</strong> APPLID SCSCPJA4<br />
<strong>CICS</strong> default user ID (DFLTUSER) <strong>CICS</strong>USER<br />
<strong>CICS</strong> region user ID SCSCPJA4<br />
<strong>Gateway</strong> daemon started task SCSCTG4<br />
Started task user ID CTGUSER<br />
TCP/IP hostname wtsc66oe.itso.ibm.com<br />
<strong>CICS</strong> TG TCP/IP port 2007<br />
Flowed user ID to which we wish to permit access <strong>CICS</strong>RS2<br />
Flowed user ID to which we wish to deny access <strong>CICS</strong>RS5<br />
<strong>CICS</strong> program to be invoked EC01<br />
Note: <strong>The</strong> TCP/IP port 2007 is not the default port for the TCP protocol handler.<br />
We already have another <strong>Gateway</strong> daemon (SCSCTG5) using the default port<br />
2006, and so we are forced to use a different port for our secure <strong>Gateway</strong><br />
daemon.<br />
For more information on EXCI security, refer to the <strong>CICS</strong> External Interfaces<br />
Guide, SC34-6006.<br />
<strong>CICS</strong> configuration<br />
Our <strong>CICS</strong> region, SCSCPJA4, was configured with security prefixing and<br />
transaction security active using the following parameters:<br />
► IRCSTRT=YES<br />
► SECPRFX=YES<br />
► SEC=YES<br />
► XDCT=NO<br />
► XFCT=NO<br />
► XPCT=NO<br />
► XPPT=NO<br />
► XTRAN=YES<br />
► XCMD=NO<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 103
Basic <strong>CICS</strong> TG configuration<br />
<strong>The</strong> commands listed in the following sections are in addition to the basic<br />
configuration necessary for normal functioning of the <strong>CICS</strong> TG for z/OS. Before<br />
you implement any security in your environment, we recommend that you set up<br />
and test a non-secure environment as documented in Chapter 4, “EXCI<br />
connections to <strong>CICS</strong>” on page 65 and Chapter 7, “TCP connections to the<br />
<strong>Gateway</strong> daemon on z/OS” on page 133. In this chapter, you will find<br />
documented the following actions, which are necessary for the normal<br />
functioning of the <strong>CICS</strong> TG in a non-secure environment:<br />
► Setup of the started task user ID<br />
► Access to the TCPIP.STANDARD.TCPXLBIN data set<br />
► Removal of the share bit (s extended attribute) from the ctgstart script<br />
► Access to the BPX.SERVER profile<br />
► Enabling of program control for <strong>CICS</strong> TG data sets and HFS files<br />
We now document the following steps necessary to secure access to our <strong>CICS</strong><br />
program EC01:<br />
► Configure MRO bind time security<br />
► Enable <strong>CICS</strong> TG password checking<br />
► Configure security for <strong>CICS</strong> CONNECTION and SESSIONS definitions<br />
► Configure the flowed user ID<br />
► Permit access to the mirror transaction, CSMI<br />
► Define RACF surrogate profiles<br />
104 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: We used security prefixing (SECPRFX=YES) in our <strong>CICS</strong> region, which<br />
prevents our RACF security profiles from affecting other <strong>CICS</strong> regions. This<br />
can be quite useful in a production environment, since it means all security<br />
profiles are unique to an individual region, but conversely it can mean more<br />
work for the security administrator because more profiles must be defined.<br />
Tip: We encountered problems when running a transactional EXCI request<br />
(using EciI1) with security enabled on the <strong>CICS</strong> TG. Each time we ran a<br />
request we would see dirty address space errors when attempting to access<br />
module DFHXCSVC in the SDHFLINK library. Marking<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHLINK as program controlled solved this problem.<br />
MRO bind security (DFHAPPL FACILITY class profiles)<br />
MRO bind security prevents unauthorized attached MRO regions from starting<br />
transactions in a <strong>CICS</strong> region, and as such applies equally to the <strong>CICS</strong> TG, as a<br />
user of MRO, as it does to <strong>CICS</strong>. It is implemented using two different DFHAPPL<br />
FACILITY class profiles that control logon to IRP. To log on to IRP, the user ID<br />
under which the <strong>CICS</strong> TG runs requires the following permissions:
► Update access to the RACF FACILITY class DFHAPPL.DFHJVPIPE, where<br />
DFHJVPIPE is the EXCI pipe name as defined in the <strong>CICS</strong> TG environment<br />
variable DFHJVPIPE, and in the NETNAME parameter in the <strong>CICS</strong><br />
SESSIONS definition. If a generic EXCI connection is used, there is no pipe<br />
name and this does not apply.<br />
► Read access to the RACF FACILITY CLASS DFHAPPL.APPLID, where<br />
APPLID is the APPLID of the <strong>CICS</strong> region in question.<br />
Note: Use of MRO bind-time security is optional and if these DFHAPPL<br />
profiles are not defined, then any MRO connected system will be able to<br />
connect to your <strong>CICS</strong> region.<br />
We activated MRO bind security for our configuration as follows:<br />
1. We gave update access to the RACF FACILITY class DFHAPPL.DFHJVPIPE<br />
using the following RACF command:<br />
RDEFINE FACILITY (DFHAPPL.SCSCTG4) UACC(NONE)<br />
PERMIT DFHAPPL.SCSCTG4 CLASS(FACILITY) ID(CTGUSER) ACCESS(UPDATE)<br />
SETROPTS RACLIST(FACILITY) REFRESH<br />
Note: We defined all of our security profiles with a UACC(NONE), meaning<br />
a universal access of none. Thus by default all users were denied access,<br />
and permissions were then granted for each user ID as required.<br />
2. We gave read access to the RACF FACILITY class DFHAPPL.APPLID with<br />
the following RACF command:<br />
RDEFINE FACILITY (DFHAPPL.SCSCPJA4) UACC(NONE)<br />
PERMIT DFHAPPL.SCSCPJA4 CLASS(FACILITY) ID(CTGUSER) ACCESS(READ)<br />
SETROPTS RACLIST(FACILITY) REFRESH<br />
Tip: <strong>The</strong> SETROPTS command above must be run every time you modify any<br />
RACF profiles, and will cause all the profiles in the specified RACF class<br />
(in our case FACILITY) to be activated in the LPAR.<br />
If your <strong>CICS</strong> TG for z/OS fails an MRO bind security check, you will receive the<br />
error shown in Example 6-1 on page 106 in the <strong>CICS</strong> TG JNI trace. Details on<br />
how to activate the JNI tracing can be found in “JNI trace” on page 176 in<br />
Chapter 7.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 105
106 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Example 6-1 JNI trace of an MRO bind security failure<br />
EXCI function error. Function Call = 6, Response = 12, Reason = 414,<br />
Subreason field-1 = 0, subreason field-2 = 0, Cics_Rc = -9<br />
Error message from <strong>CICS</strong>: DFHAC2033 .<br />
Debugging errors shown in the JNI trace is explained further in 7.4, “Problem<br />
determination” on page 164. However, the <strong>CICS</strong> error message DFHAC2033<br />
should be familiar to most <strong>CICS</strong> systems programmers.<br />
<strong>CICS</strong> TG password checking<br />
To enable the <strong>CICS</strong> TG to authenticate each user ID and password flowed on an<br />
ECI request, the environment variable AUTH_USERID_PASSWORD must be set<br />
in the <strong>CICS</strong> TG environment variables. We set this variable in our CTG4ENV<br />
PDS member (Example 6-2), which we supplied as input to our <strong>CICS</strong> TG started<br />
task, using the STDENV member. See 7.2.1, “Defining <strong>CICS</strong> TG environmental<br />
variables” on page 148 for more information on the STDENV DD.<br />
Example 6-2 <strong>CICS</strong> TG environment variables<br />
DFHJVPIPE=SCSCTG4<br />
AUTH_USERID_PASSWORD=YES<br />
JAVA_PROPAGATE=NO<br />
CTG_RRMNAME=CCL.CTG.<strong>IBM</strong>.UA<br />
<strong>CICS</strong>CLI=/ctg/scsctg4/CTG.INI<br />
CTGSTART_HOME=/usr/lpp/ctg402/ctg/bin<br />
EXCI_LOADLIB=<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI<br />
DFHJVSYSTEM_01=SCSCPJA1 - <strong>CICS</strong>TS 1.3<br />
DFHJVSYSTEM_02=SCSCPJA4 - <strong>CICS</strong>TS 2.2
CONNECTION and SESSIONS definitions<br />
In order for our <strong>CICS</strong> region to use the user ID flowed in the EXCI call from the<br />
<strong>CICS</strong> TG, we set the parameter ATTACHSEC=IDENTIFY in our EXCI connection<br />
definition in our <strong>CICS</strong> region SCSCPJA4, as shown in Figure 6-2.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter CONnection( CTG4 )<br />
CONnection : CTG4<br />
Group : PJA4CTG4<br />
DEscription ==><br />
CONNECTION IDENTIFIERS<br />
Netname ==> SCSCTG4<br />
INDsys ==><br />
CONNECTION PROPERTIES<br />
ACcessmethod ==> IRc Vtam | IRc | INdirect | Xm<br />
PRotocol ==> Exci Appc | Lu61 | Exci<br />
Conntype ==> Specific Generic | Specific<br />
SECURITY<br />
SEcurityname ==><br />
ATtachsec ==> Identify Local | Identify | Verify<br />
| Persistent | Mixidpe<br />
BINDPassword : PASSWORD NOT SPECIFIED<br />
BINDSecurity ==> No No | Yes<br />
Usedfltuser ==> No No | Yes<br />
Figure 6-2 <strong>CICS</strong> CONNECTION definition<br />
SYSID=PJA4 APPLID=SCSCPJA4<br />
IDENTIFY means that <strong>CICS</strong> uses the flowed user ID in the EXCI request, but<br />
does not expect a password to be flowed with the request, as this should be<br />
checked by the <strong>CICS</strong> TG itself.<br />
Link security<br />
Next we decided to disable link security. Link security is an additional level of<br />
security that applies to all attach requests received over a connection. For MRO<br />
or EXCI requests, this is set as follows.<br />
<strong>The</strong> SESSIONS definition is checked as follows:<br />
1. If the link user ID is the same as the region user ID, then the systems are<br />
deemed equivalent and no link security authorization is performed.<br />
2. If the link user ID is defined as anything else, then this user ID must have<br />
access to all resources that the EXCI requests need.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 107
108 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
3. If the USERID is blank, then the user ID of the connected region (that is, the<br />
user ID under which the <strong>CICS</strong> TG runs) is the link user ID.<br />
To disable link security means that we set our <strong>CICS</strong> TG region, SCSCTG4, and<br />
our <strong>CICS</strong> region, SCSCPJA4, to be equivalent systems. To do this, we set the<br />
USERID parameter in the SESSIONS definition to be SCSCPJA4, which is the<br />
<strong>CICS</strong> region user ID. Our SESSIONS definition is shown in Figure 6-3.<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter Sessions( CTG4SESS )<br />
Sessions : CTG4SESS<br />
Group : PJA4CTG4<br />
DEscription ==><br />
SESSION IDENTIFIERS<br />
Connection ==> CTG4<br />
SESSName ==><br />
NETnameq ==><br />
MOdename ==><br />
SESSION PROPERTIES<br />
Protocol ==> Exci Appc | Lu61 | Exci<br />
MAximum ==> 000 , 000 0-999<br />
RECEIVEPfx ==> C4<br />
RECEIVECount ==> 010 1-999<br />
PRESET SECURITY<br />
USERId ==> SCSCPJA4<br />
SYSID=PJA4 APPLID=SCSCPJA4<br />
Figure 6-3 <strong>CICS</strong> SESSIONS definition<br />
Many other intercommunication security configurations are possible. Table 6-3<br />
on page 120 lists the different settings for link security and ATTACHSEC and how<br />
they interoperate. In a production system, it is recommended that you specify<br />
ATTACHSEC=IDENTIFY and use non-equivalent systems, so that a link user ID<br />
is also used.<br />
Table 6-2 Attach security settings with an EXCI connection from the <strong>CICS</strong> TG<br />
Equivalent systems? Link user ID = region user ID Link user ID not = region user ID<br />
ATTACHSEC LOCAL IDENTIFY LOCAL IDENTIFY<br />
Link user ID check NO NO YES YES<br />
Flowed user ID check NO YES NO YES<br />
User ID mirror transaction<br />
runs under in <strong>CICS</strong><br />
<strong>CICS</strong> default<br />
user ID<br />
Flowed user ID Link user ID Flowed user ID
Configure the flowed user ID<br />
Because the <strong>CICS</strong> TG runs as a shell process under UNIX System Services, any<br />
user ID that it tries to authenticate with RACF, such as a user ID flowed with an<br />
ECI request, must have an OMVS segment defined in its RACF profile. See<br />
OS/390 UNIX System Services Planning, GA22-7800 for more information.<br />
Access to the mirror transaction, CSMI<br />
An EXCI request received by <strong>CICS</strong> from the <strong>CICS</strong> TG for z/OS attaches a mirror<br />
transaction, by default CSMI. <strong>The</strong>refore to authorize only our user ID <strong>CICS</strong>RS2<br />
to have access to the mirror transaction, we issued the following RACF command<br />
to define read access to the mirror transaction in the CLASS T<strong>CICS</strong>TRN:<br />
RDEF T<strong>CICS</strong>TRN SCSCPJA4.CSMI UACC(NONE)<br />
PERMIT SCSCPJA4.CSMI CL(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>RS2) ACCESS(READ)<br />
SETROPTS RACLIST(T<strong>CICS</strong>TRN) REFRESH<br />
Tip: For our examples, we permit access to a single user (<strong>CICS</strong>RS2). In a<br />
production environment, you will probably create a group of users requiring<br />
common access. Once a group is built, you will permit access to a group. This<br />
permits user’s access to be controlled by the group to which they belong,<br />
rather than by individual permissions. This can be used to simplify the security<br />
definitions required.<br />
SURROGAT security profiles<br />
In order for the EXCI to be able to switch the security context of the EXCI request<br />
to the flowed user ID, the correct SURROGAT security profiles must be defined.<br />
<strong>The</strong> user ID of the EXCI job (in our case the <strong>CICS</strong> TG started task) requires read<br />
access to the USERID.DFHEXCI SURROGAT class profile, where USERID is<br />
the flowed user ID in the EXCI request.<br />
We issued the following commands to permit our <strong>CICS</strong> TG started task user ID<br />
(CTGUSER) to switch to the user ID <strong>CICS</strong>RS2 that we wish to flow in the ECI<br />
request:<br />
RDEFINE SURROGAT <strong>CICS</strong>RS2.DFHEXCI UACC(NONE) OWNER(<strong>CICS</strong>RS2)<br />
PERMIT <strong>CICS</strong>RS2.DFHEXCI CLASS(SURROGAT) ID(CTGUSER) ACCESS(READ)<br />
SETROPTS RACLIST(SURROGAT) REFRESH<br />
Note: It is also possible to disable surrogate security by either reassembling the<br />
EXCI options table DFHXCOPT, with SURROGAT=NO, or by using a RACF<br />
surrogate profile with universal READ access such as:<br />
RDEFINE SURROGAT *.DFHEXCI UACC(READ)OWNER (<strong>CICS</strong>RS2)<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 109
110 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Testing<br />
In order to test our secure <strong>CICS</strong> TG for z/OS environment, we chose to use the<br />
EciB1 synchronous ECI sample. <strong>The</strong> runtime class for this is provided by the<br />
<strong>CICS</strong> TG in the CTGSAMPLES.JAR and the source is also provided in the<br />
samples\java\com\ibm\ctg\samples\eci directory. To test using the version in the<br />
CTGSAMPLES.JAR, it is merely necessary to copy CTGLCLIENT.JAR and<br />
CTGSAMPLES.JAR to your desired machine and set your classpath to contain<br />
these two JAR files.<br />
We ran our tests from a Windows workstation with the <strong>CICS</strong> TG already installed,<br />
so we set our classpath using the following command:<br />
SET CLASSPATH=C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\<br />
Classes\CTGCLIENT.JAR;C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\<br />
Classes\CTGSAMPLES.JAR<br />
Example 6-3 shows the results of testing EciB1 from a Windows workstation.<br />
Example 6-3 Testing z/OS EXCI security with EciB1 sample<br />
C:\>java com.ibm.ctg.samples.eci.EciB1 tcp://wtsc66oe.itso.ibm.com 2007<br />
<strong>CICS</strong> TG Basic ECI Sample 1<br />
Usage: java com.ibm.ctg.samples.eci.EciB1 [<strong>Gateway</strong> Url]<br />
[<strong>Gateway</strong> Port Number]<br />
To enable client tracing, run the sample with the following Java option:<br />
-Dgateway.T.trace=on<br />
<strong>The</strong> address of the <strong>Gateway</strong> has been set to TCP://WTSC66OE.ITSO.<strong>IBM</strong>.COM<br />
Port:2007<br />
<strong>CICS</strong> Servers Defined:<br />
1. SCSCPJA1 -<br />
2. SCSCPJA4 -<br />
Choose Server to connect to, or q to quit:<br />
2<br />
Enter your <strong>CICS</strong> User ID:<br />
<strong>CICS</strong>RS2<br />
Enter your <strong>CICS</strong> Password:<br />
PASSWORD<br />
Program EC01 returned with data:-<br />
Hex: 30362f30362f30322031343a31383a30380<br />
ASCII text: 06/06/02 21:19:08
EciB1 is written so that it will initially make a call to the specified <strong>CICS</strong> region<br />
without a user ID and password, and then if it receives a security error it will then<br />
prompt you for a user ID and password. It also allows trace to be activated by<br />
specifying -Dgateway.T.trace=on. This will trace the <strong>CICS</strong> TG calls made in the<br />
Java application and is particularly useful in showing the user ID and<br />
COMMAREA flowed to and from the <strong>CICS</strong> TG.<br />
When we ran EciB1 with trace on, we saw the following input on the first ECI call<br />
to the <strong>CICS</strong> TG specifying SCSCPJA4 as the <strong>CICS</strong> region. As seen in<br />
Example 6-4, the user ID at offset 57 is not set (low values), because we have<br />
not been prompted for it as yet.<br />
Example 6-4 EciB1 object/COMMAREA on initial call (created with -Dgateway.T.trace=on)<br />
S-C: CCL6603I: # 00000: 47 61 74 65 00 40 00 00 00 00 00 01 00 00 00 00 Gate.@..........<br />
S-C: CCL6603I: # 00016: 00 00 00 00 00 00 00 03 45 43 49 00 00 00 00 60 ........ECI....`<br />
S-C: CCL6603I: # 00032: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
S-C: CCL6603I: # 00048: 00 53 43 53 43 50 4A 41 34 00 00 00 00 00 00 00 .SCSCPJA4.......<br />
S-C: CCL6603I: # 00064: 00 00 00 00 00 00 00 00 00 2A 2A 2A 2A 2A 2A 2A .........*******<br />
In Example 6-5, we see the second ECI request to the <strong>CICS</strong> TG, after we had<br />
been prompted for a user ID and password. This time the user ID (<strong>CICS</strong>RS2) is<br />
contained in the ECI request and you can see the password (********) is masked<br />
for security reasons.<br />
Example 6-5 EciB1 object/COMMAREA after ID and password input (created with -Dgateway.T.trace=on)<br />
S-C: CCL6603I: # 00000: 47 61 74 65 00 40 00 00 00 00 00 01 00 00 00 00 Gate.@..........<br />
S-C: CCL6603I: # 00016: 00 00 00 00 00 00 00 03 45 43 49 00 00 00 00 60 ........ECI....`<br />
S-C: CCL6603I: # 00032: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
S-C: CCL6603I: # 00048: 00 53 43 53 43 50 4A 41 34 63 69 63 73 72 73 32 .SCSCPJA4<strong>CICS</strong>RS2<br />
S-C: CCL6603I: # 00064: 00 00 00 00 00 00 00 00 00 2A 2A 2A 2A 2A 2A 2A .........*******<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 111
6.2.2 ECI to <strong>CICS</strong> TG for Windows (TCP/IP)<br />
112 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In this example we show you how we configured security to allow an ECI-based<br />
Java application to make an authenticated call to <strong>CICS</strong> using the facilities of the<br />
<strong>CICS</strong> TG for Windows, using a TCP/IP connection to our <strong>CICS</strong> TS V2.2 region<br />
(Figure 6-4).<br />
As in the previous example, we used the supplied sample EciB1, and the <strong>CICS</strong><br />
server program, EC01, in our test. <strong>The</strong> aim of our test was to permit the user ID<br />
<strong>CICS</strong>RS2 access to the EC01 program and deny access to the user <strong>CICS</strong>RS5.<br />
Windows client<br />
Java<br />
application<br />
EciB1<br />
Port<br />
2006<br />
Windows NT<br />
volga<br />
<strong>CICS</strong> TG V4.0.2<br />
<strong>Gateway</strong><br />
daemon<br />
Client<br />
daemon<br />
Figure 6-4 ECI to <strong>CICS</strong> TG for Windows, security scenario<br />
JNI<br />
ECI request<br />
TCP/IP<br />
user ID +<br />
password<br />
TCPIP<br />
service<br />
z/OS<br />
<strong>CICS</strong> TS V2.2<br />
Region<br />
SCSCPAA6<br />
EC01<br />
program<br />
RACF<br />
TCP/IP security configuration<br />
When using TCP/IP connections to <strong>CICS</strong>, the <strong>CICS</strong> TG provides support for the<br />
flowing of a user ID and password within the ECI request, for authentication of<br />
this user ID and password within <strong>CICS</strong>, and authorization of requests using<br />
RACF. In the instructions that follow, we detail how we configured security in our<br />
<strong>CICS</strong> region and <strong>CICS</strong> TG.<br />
Basic <strong>CICS</strong> TG configuration<br />
In this section, we assume that you have already installed the <strong>CICS</strong> TG for<br />
Windows and configured a TCP/IP connection from the <strong>CICS</strong> TG to <strong>CICS</strong> TS<br />
V2.2. For further details on how to configure TCP/IP connections, refer to<br />
Chapter 5, “TCP/IP connections to <strong>CICS</strong>” on page 81.
<strong>CICS</strong> region configuration<br />
We used the same secure <strong>CICS</strong> region, SCSCPJA4, as we used in our previous<br />
tests with the <strong>CICS</strong> TG for z/OS. For further details on the security settings and<br />
SIT parameters, refer to “<strong>CICS</strong> configuration” on page 103.<br />
<strong>CICS</strong> TCPIPSERVICE definition<br />
In order for our <strong>CICS</strong> region to use the user ID and password flowed in the ECI<br />
request from the <strong>CICS</strong> TG, it is necessary to activate security in the TCP/IP<br />
service definition. To do this, we defined a TCPIPSERVICE definition and set<br />
ATTACHSEC=VERIFY, as shown in Figure 6-5. <strong>The</strong> port we used for this<br />
TCPIPSERVICE definition was 8048, meaning that the <strong>CICS</strong> region listens for<br />
ECI requests on this TCP/IP port. This port that must match the Port parameter<br />
defined in the <strong>CICS</strong> TG Configuration Tool TCP/IP settings (for details on how we<br />
defined this, see page 87 in Chapter 5).<br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter TCpipservice( PJA4TCP )<br />
TCpipservice : PJA4TCP<br />
GROup : PJA4GRP<br />
DEscription ==><br />
Urm ==><br />
POrtnumber ==> 08048 1-65535<br />
STatus ==> Open Open | Closed<br />
PRotocol ==> Eci Iiop | Http | Eci<br />
TRansaction ==> CIEP<br />
Backlog ==> 00128 0-32767<br />
TSqprefix ==><br />
Ipaddress ==><br />
SOcketclose ==> No No | 0-240000 (HHMMSS)<br />
SECURITY<br />
SSl ==> No Yes | No | Clientauth<br />
Certificate ==><br />
AUthenticate ==> No | Basic | Certificate | AUTORegister<br />
| AUTOMatic<br />
ATtachsec : Verify Local | Verify<br />
Figure 6-5 <strong>CICS</strong> TCPSERVICE definition<br />
SYSID=PJA4 APPLID=SCSCPJA4<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 113
114 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Permit access to the mirror transaction<br />
Any ECI requests received from the <strong>CICS</strong> TG for Windows run under a mirror<br />
transaction. By default, this will be the ASCII mirror, CPMI. To enable our desired<br />
user ID <strong>CICS</strong>RS2 to have access to this transaction, we issued the following<br />
RACF commands to grant access to the SCSCPJA4.CPMI profile to the user<br />
<strong>CICS</strong>RS2:<br />
RDEF T<strong>CICS</strong>TRN SCSCPJA4.CPMI UACC(NONE)<br />
PERMIT SCSCPJA4.CPMI CLASS(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>RS2) ACCESS(READ)<br />
SETROPTS RACLIST(T<strong>CICS</strong>TRN) REFRESH<br />
Testing<br />
In order to test our secure <strong>CICS</strong> TG for Windows environment, we again used the<br />
EciB1 synchronous ECI sample. This runtime class for this is provided by the<br />
<strong>CICS</strong> TG in the CTGSAMPLES.JAR and the source is also provided in the<br />
samples\java\com\ibm\ctg\samples\eci directory. To test using the version in the<br />
CTGSAMPLES.JAR, it is merely necessary to copy CTGLCLIENT.JAR and<br />
CTGSAMPLES.JAR to your desired machine and set your classpath to contain<br />
these two JAR files.<br />
We ran our tests from a Windows workstation with the <strong>CICS</strong> TG already installed,<br />
so we set our classpath using the following command:<br />
SET CLASSPATH=C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\<br />
Classes\CTGCLIENT.JAR;C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\<br />
Classes\CTGSAMPLES.JAR<br />
Since we have set up security so a user ID and password are required, EciB1<br />
detects a security error caused by the first request, which includes a null user ID<br />
and password. EciB1 then prompts for a user ID and password, which it flows<br />
with the ECI request. Example 6-6 shows the results of a successful test with<br />
EciB1.<br />
Example 6-6 Testing z/OS EXCI security with EciB1 sample<br />
C:\>java com.ibm.ctg.samples.eci.EciB1 tcp://volga.almaden.ibm.com 2007<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Basic ECI Sample 1<br />
-------------------------------------------<br />
Usage: java com.ibm.ctg.samples.eci.EciB1 [<strong>Gateway</strong> Url]<br />
[<strong>Gateway</strong> Port Number]<br />
To enable client tracing, run the sample with the following Java option:<br />
-Dgateway.T.trace=on<br />
<strong>The</strong> address of the <strong>Gateway</strong> has been set to tcp://volga.almaden.ibm.com<br />
Port:2007<br />
<strong>CICS</strong> Servers Defined:
1. SC62PJA1 -<strong>CICS</strong>TS 2.2 AT SC66<br />
2. SCSCPJA4 -<strong>CICS</strong>TS 2.2 AT SC66<br />
Choose Server to connect to, or q to quit:<br />
2<br />
Enter your <strong>CICS</strong> User ID:<br />
<strong>CICS</strong>RS2<br />
Enter your <strong>CICS</strong> Password:<br />
PASSWORD<br />
Program EC01 returned with data:-<br />
Hex: 32332f30362f30322031303a35373a34370<br />
ASCII text: 23/06/02 10:57:47<br />
6.2.3 EPI to <strong>CICS</strong> TG for Windows (TCP62)<br />
In this example, we show you how we configured security to allow an EPI-based<br />
Java application to make an authenticated call to <strong>CICS</strong> using the facilities of the<br />
<strong>CICS</strong> TG for Windows, using a TCP62 connection to our <strong>CICS</strong> TS V2.2 region<br />
(Figure 6-6). Since we were using the EPI to access a 3270-based <strong>CICS</strong><br />
transaction, we decided to use the TCP62 communication protocol, since EPI is<br />
not supported either by the <strong>CICS</strong> TCP/IP protocol or by the <strong>CICS</strong> TG for z/OS.<br />
Windows client<br />
Java<br />
application<br />
Port<br />
2006<br />
Windows 2000<br />
volga<br />
<strong>CICS</strong> TG V4.0.2<br />
<strong>Gateway</strong><br />
daemon<br />
Figure 6-6 EPI to <strong>CICS</strong> TG for Windows, security scenario<br />
JNI<br />
Client<br />
daemon<br />
EPI request<br />
TCP62<br />
user ID +<br />
password<br />
Virtual<br />
terminal<br />
z/OS<br />
<strong>CICS</strong> TS V2.2<br />
Region<br />
SCSCPAA6<br />
RACF<br />
Unlike the previous ECI examples, we decided to write our own test applications,<br />
because we wanted to show the difference between signon capable and signon<br />
incapable terminals. Our sample Java applications (SignonCapable and<br />
EPIP<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 115
116 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
SignonIncapable) are written to use the EPI support classes, and are available<br />
with the additional materials for this book (see Appendix C, “Additional material”<br />
on page 389). Both of these applications work with the <strong>CICS</strong> 3270 program,<br />
EPIPROG, which is a very simple BMS-based application that returns a map<br />
displaying the <strong>CICS</strong> region APPLID, date, time, and the user ID the task ran<br />
under (Figure 6-7).<br />
EPIPROG OUTPUT<br />
APPLID: SCSCPJA4<br />
DATE: 25/06/02<br />
TIME: 00:45:38<br />
USERID: <strong>CICS</strong>RS2<br />
Figure 6-7 EPIP 3270 screen<br />
<strong>The</strong> source code (EPIPROG), and the mapset (EPIPMAPS) for this application<br />
are provided in the additional material available with this redbook, along with the<br />
associated map class EPIMAPMap.java.<br />
Signon capable terminals<br />
When using the facilities of the EPI, the <strong>CICS</strong> TG creates a logical terminal in<br />
<strong>CICS</strong> for you, which is then used to run the 3270 transaction. For an EPI<br />
application to be able to start a secured <strong>CICS</strong> transaction on this terminal, it must<br />
supply security credentials (a user ID and password) for the <strong>CICS</strong> server to<br />
authenticate. <strong>The</strong>re are two options available to do this:<br />
► Sign on to the <strong>CICS</strong> terminal<br />
<strong>The</strong> security credentials determined are established at sign-on (by starting a<br />
transaction such as CESN). <strong>The</strong>se credentials are then used for any<br />
subsequent authorization checks when starting other transactions. <strong>The</strong> user<br />
ID and password need not flow with further requests following the sign-on.<br />
This requires a signon capable EPI terminal.<br />
► Flow a user ID and password with each EPI request<br />
A valid user ID and password must be flowed with each EPI request. This<br />
method does not require the user to sign on to <strong>CICS</strong>, and so uses a signon<br />
incapable EPI terminal.
<strong>The</strong>refore, when writing an EPI application the application designer must choose<br />
between using a signon capable or signon incapable terminal, both of which<br />
require the use of an EPI extended terminal. For further details on our tests with<br />
signon capable and signon incapable terminals. refer to “EPI security choices” on<br />
page 120.<br />
Note: It is also possible to use a basic terminal in EPI applications. With a<br />
basic terminal, there is no ability to set the sign-on capability, and instead, any<br />
security credentials (the user ID and password) must be hardcoded on each<br />
server connection definition in the <strong>CICS</strong> TG configuration file. We do not<br />
discuss this option in this book, since the use of extended terminals allows an<br />
individual user ID and password to be flowed on each EPI request and<br />
therefore provides a more secure alternative. For further details on developing<br />
EPI applications, refer to the <strong>IBM</strong> redbook Java Connectors for <strong>CICS</strong>,<br />
SG24-6401.<br />
<strong>CICS</strong> CONNECTION and SESSIONS definitions<br />
In our example we decided to use connection autoinstall for our TCP62<br />
connections. To configure security for these autoinstalled connection, we created<br />
a copy of the supplied APPC connection templates as follows:<br />
CEDA COPY CONN(CBPS) TO GROUP(PJA4AI62)<br />
CEDA COPY SESS(CBPS) TO GROUP(PJA4AI62)<br />
We then modified the CONNECTION definition as shown in Figure 6-8 on<br />
page 118, ensuring that we specified the following parameters:<br />
► ACCESSMETHOD(VTAM)<br />
► PROTOCOL(APPC)<br />
<strong>The</strong>se parameters are used to indicate that VTAM will be used with this APPC<br />
connection.<br />
► ATTACHSEC(VERIFY)<br />
This is used to ensure that the autoinstalled CONNECTION will require the<br />
incoming user ID and password to be verified.<br />
► USEDFLTUSER(YES)<br />
This parameter specifies that a terminal install request (using the CTIN<br />
transaction) without a user ID and password will run without a security check<br />
under the default <strong>CICS</strong> user ID.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 117
118 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter CONnection( CBPS )<br />
CONnection : CBPS<br />
Group : PJA4AI62<br />
DEscription ==> APPC AUTOINSTALL TEMPLATE, WITH SECURITY<br />
CONNECTION IDENTIFIERS<br />
Netname ==> TMPLATE1<br />
INDsys ==><br />
CONNECTION PROPERTIES<br />
ACcessmethod ==> Vtam Vtam | IRc | INdirect | Xm<br />
PRotocol ==> Appc Appc | Lu61 | Exci<br />
Conntype ==> Generic | Specific<br />
SInglesess ==> No No | Yes<br />
DAtastream ==> User User | 3270 | SCs | STrfield | Lms<br />
RECordformat ==> U U | Vb<br />
SECURITY<br />
SEcurityname ==> SCSCPJA4<br />
ATtachsec ==> Verify Local | Identify | Verify | Persistent<br />
| Mixidpe<br />
BINDPassword : PASSWORD NOT SPECIFIED<br />
BINDSecurity ==> No No | Yes<br />
Usedfltuser ==> No No | Yes<br />
Figure 6-8 CBPS CONNECTION definition<br />
SYSID=PJA4 APPLID=SCSCPJA4<br />
We also modified the SESSIONS definition as shown in Figure 6-9 on page 119<br />
ensuring that we specified the following parameters:<br />
► MODENAME(APPCMODE)<br />
► MAXIMUM=(08,001)<br />
<strong>The</strong>se parameters were used to control the APPC mode group name and<br />
properties as we had also defined in our TCP62 connection in the <strong>CICS</strong> TG.
OVERTYPE TO MODIFY <strong>CICS</strong> RELEASE = 0620<br />
CEDA ALter Sessions( CBPS )<br />
Sessions : CBPS<br />
Group : PJA4AI62<br />
DEscription ==> APPC AUTOINSTALL TEMPLATE, WITH SECURITY<br />
SESSION IDENTIFIERS<br />
Connection ==> CBPS<br />
SESSName ==><br />
NETnameq ==><br />
MOdename ==> APPCMODE<br />
SESSION PROPERTIES<br />
Protocol ==> Appc Appc | Lu61 | Exci<br />
MAximum ==> 008 , 001 0-999<br />
RECEIVEPfx ==><br />
RECEIVECount ==> 1-999<br />
SENDPfx ==><br />
SENDCount ==> 1-999<br />
SENDSize ==> 04096 1-30720<br />
RECEIVESize ==> 04096 1-30720<br />
Figure 6-9 CBPS SESSIONS definition<br />
We then installed this CONNECTION template using the command:<br />
CEDA INS GR(PJA4AI62)<br />
SYSID=PJA4 APPLID=SCSCPJA4<br />
Important: For an autoinstall connection to be successful, you must also set<br />
the autoinstall program to be DFHZATDY. For further details refer to 2.2.3,<br />
“<strong>CICS</strong> connection autoinstall” on page 23.<br />
Link security<br />
Next we decided to disable link security. Link security is an additional level of<br />
security that applies to all attach requests received over a connection. For APPC<br />
requests such as TCP62, this is set as follows.<br />
<strong>The</strong> SESSIONS definition is checked as follows:<br />
1. <strong>The</strong> SESSIONS definition is checked. If the USERID parameter is specified,<br />
this is used as the link user ID and no further checks are made.<br />
2. <strong>The</strong> CONNECTION definition is checked, and the SECURITYNAME specified<br />
here is used as the link user ID.<br />
3. If all else fails, the <strong>CICS</strong> default user ID will be used.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 119
120 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In disabling link security, we set our <strong>CICS</strong> TG region and our <strong>CICS</strong> region<br />
SCSCPJA4 to be equivalent systems. To achieve this, we set the<br />
SECURITYNAME parameter in the CONNECTION definition to be SCSCPJA4,<br />
which is the <strong>CICS</strong> region user ID. Our CONNECTION definition is shown in<br />
Figure 6-8 on page 118.<br />
Many other intercommunication security configurations are possible. Table 6-2<br />
on page 108 lists the different settings for link security and ATTACHSEC and how<br />
they interoperate. In a production system, it is recommended that you specify<br />
ATTACHSEC=IDENTIFY and use non-equivalent systems, so that a link user ID<br />
is also used for authorization. This can be used to limit the maximum authority<br />
any given user can obtain when using the connection.<br />
Table 6-3 Attach security settings with a distributed <strong>CICS</strong> TG<br />
Equivalent systems? Link user ID = region user ID Link user ID not = region user ID<br />
ATTACHSEC LOCAL VERIFY LOCAL VERIFY<br />
Link user ID check NO NO YES YES<br />
Flowed user ID check NO YES NO YES<br />
User ID <strong>CICS</strong> transaction runs<br />
under<br />
<strong>CICS</strong> default<br />
user ID<br />
Flowed user<br />
ID<br />
Link user ID Flowed user ID<br />
Securing access to the EPIP transaction<br />
To secure the <strong>CICS</strong> transaction EPIP, we first defined the RACF profile<br />
SCSCPJA4.EPIP with a default access of NONE. This had the effect of denying<br />
access to all users. <strong>The</strong>n we permitted access to <strong>CICS</strong>RS2. <strong>The</strong> following<br />
commands were used to define the RACF profiles:<br />
RDEF T<strong>CICS</strong>TRN SCSCPJA4.EPIP UACC(NONE)<br />
PERMIT SCSCPJA4.EPIP CLASS(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>RS2) ACCESS(READ)<br />
SETROPTS RACLIST(T<strong>CICS</strong>TRN) REFRESH<br />
EPI security choices<br />
<strong>The</strong> EPI provides support for two distinct methods for connecting to secured<br />
transaction in <strong>CICS</strong>. <strong>The</strong> two options available are:<br />
► Sign on to the <strong>CICS</strong> terminal before sending an EPI request, or<br />
► Flow a user ID and password with each request<br />
We discuss each of these options in the following two scenarios.
Sign on to the <strong>CICS</strong> terminal<br />
This requires the EPI application to invoke a sign-on transaction such as CESN.<br />
With this method, a valid user ID and password must be supplied at the time of<br />
the sign-on, but after this all transactions run on the terminal under these<br />
credentials. This requires the use of an EPI signon capable terminal, a code<br />
example for which is shown in Figure 6-10. <strong>The</strong> full version of this code is<br />
provided in our sample Java application SignonCapable.java in the<br />
itso.cics.epi package supplied with this book.<br />
Terminal term =<br />
new Terminal(<br />
epiGate, // <strong>CICS</strong> TG URL<br />
cicsRegion, // <strong>CICS</strong> server<br />
null, // device type<br />
null, // netname<br />
Terminal.EPI_SIGNON_CAPABLE, // signon flag<br />
termUserid, // userid for CTIN<br />
termPassword, // password<br />
0, // timeout<br />
null); // encoding<br />
term.connect(); // install terminal with CTIN<br />
Screen scr = term.getScreen();<br />
scr.field(1).setText("CESN"); // set transaction to CESN<br />
scr.setAID(AID.enter);<br />
term.send(); // start CESN transaction<br />
......<br />
scr.field(1).setText("EPIP"); // set EPIP user transaction<br />
scr.setAID(AID.enter);<br />
term.send(); // start EPIP<br />
Figure 6-10 Using a signon capable terminal<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 121
122 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Verifying EPI signon capable security<br />
In our scenario, we set USEDFLTUSER(YES) on our CONNECTION definition.<br />
This means the CTIN and CESN requests will run using the default user ID.<br />
<strong>The</strong>refore we needed to supply only a valid user ID and password for the request<br />
to run our actual EPI transaction.<br />
Tip: If you set USEDFLTUSER(YES) on your CONNECTION definition, then<br />
you should realize that this will allow any user to install EPI terminals in your<br />
<strong>CICS</strong> region without any authentication, since any user ID and password<br />
specified on the Terminal constructor will be ignored for the install of the<br />
terminal by the CTIN transaction. If you wish to restrict this behavior, you<br />
should specify USEDFLTUSER(NO) on the <strong>CICS</strong> CONNECTION definition<br />
and then specify a valid user ID and password for the CTIN install. In<br />
Figure 6-10 this is controlled by the termUserid and termPassword fields. If you<br />
do this, you must also permit READ access to the CTIN transaction for the<br />
desired user ID using the following commands:<br />
RDEF T<strong>CICS</strong>TRN SCSCPJA4.CTIN UACC(NONE)<br />
PERMIT SCSCPJA4.CTIN CLASS(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>RS2) ACCESS(READ)<br />
SETROPTS RACLIST(T<strong>CICS</strong>TRN) REFRESH<br />
In Example 6-7, you can see the results of a successful call to the EPIP<br />
transaction from our SignonCapable EPI application.<br />
Example 6-7 Successful test with SignonCapable EPI application<br />
C:\itsoctgv5\Java>java itso.cics.epi.SignonCapable tcp:\\volga SC62PJA4 <strong>CICS</strong>RS2<br />
PASSWORD<br />
<strong>Gateway</strong> URL: tcp://volga/<br />
Region: SC62PJA4<br />
Userid: <strong>CICS</strong>RS2<br />
Password: PASSWORD<br />
Adding signon capable terminal with userid:null<br />
Netname: CCLIE017<br />
Starting CESN<br />
Entering userid and password<br />
DFHCE3549:Now signed on to <strong>CICS</strong><br />
Starting EPIP<br />
EPIP results<br />
Time : 02:12:01<br />
Date : 25/06/02<br />
Applid : SCSCPJA4<br />
Userid : <strong>CICS</strong>RS2<br />
Closing terminal and gateway
In contrast, Example 6-8 shows the result of an unauthorized user (<strong>CICS</strong>RS5)<br />
attempting to access the EPIP transaction.<br />
Example 6-8 Security failure with SignonCapable EPI test<br />
C:\itsoctgv5\Java>java itso.cics.epi.SignonCapable tcp:\\volga SC62PJA4 <strong>CICS</strong>RS5<br />
PASSWORD<br />
<strong>Gateway</strong> URL: tcp://volga/<br />
Region: SC62PJA4<br />
Userid: <strong>CICS</strong>RS5<br />
Password: PASSWORD<br />
Unknown EPI error encountered<br />
Error message was :Map is not valid<br />
com.ibm.ctg.epi.EPIMapException: Map is not valid<br />
at itso.cics.epi.EPIMAPMap.(EPIMAPMap.java:42)<br />
at itso.cics.epi.SignonCapable.main(SignonCapable.java:159)<br />
<strong>The</strong> EPIMapException error in Example 6-8 merely states that the screen received<br />
when running the EPIP transaction was not expected. This is because we used<br />
the EPI Map class to handle the expected output from the EPIP transaction. <strong>The</strong><br />
actual cause of the error can be seen by examining the <strong>CICS</strong> JESMSGLG where<br />
the following security violation was logged.<br />
Example 6-9 JES SYSLOG error for EPIP security violation<br />
ICH408I USER(<strong>CICS</strong>RS5 ) GROUP(SYS1 ) NAME(<strong>CICS</strong> RESIDENT ) 552<br />
SCSCPJA4.EPIP CL(T<strong>CICS</strong>TRN)<br />
INSUFFICIENT ACCESS AUTHORITY<br />
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )<br />
Flow a user ID and password with each EPI request<br />
If your <strong>CICS</strong> application does not need to invoke an EXEC <strong>CICS</strong> SIGNON, then a<br />
better option is to use signon incapable terminals. With this method the EPI user<br />
is not required to explicitly sign on to <strong>CICS</strong>. Instead a user ID and password must<br />
be supplied with each EPI request, and these are flowed in the FMH attach<br />
header and verified for each request. A sample code snippet demonstrating this<br />
technique is shown in Figure 6-11 on page 124. <strong>The</strong> full version of this code is<br />
provided in our sample Java application SignonIncapable.java in the<br />
itso.cics.epi package supplied with this book.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 123
124 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
new Terminal(<br />
epiGate, // <strong>CICS</strong> TG URL<br />
cicsRegion, // <strong>CICS</strong> server<br />
null, // device type<br />
null, // netname<br />
Terminal.EPI_SIGNON_INCAPABLE,<br />
userid, // userid for CTIN<br />
password, // password<br />
0, // timeout<br />
null); // encoding<br />
Screen scr = term.getScreen();<br />
term.connect(); // install terminal with CTIN<br />
term.setUserid(userid); // set userid for EPI request<br />
term.setPassword(password); // set passowrd<br />
scr.field(1).setText("EPIP"); // set EPIP user transaction code<br />
scr.setAID(AID.enter);<br />
term.send(); // start EPIP transaction<br />
....<br />
Figure 6-11 Using a signon incapable terminal<br />
To enable access from our SignonIncapable application to our EPIP test<br />
transaction, it was necessary to grant READ access for our <strong>CICS</strong>RS2 user ID to<br />
the RACF profiles protecting both the EPIP and CTIN transactions as follows:<br />
PERMIT SCSCPJA4.CTIN CLASS(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>USER) ACCESS(READ)<br />
PERMIT SCSCPJA4.EPIP CLASS(T<strong>CICS</strong>TRN) ID(<strong>CICS</strong>RS2) ACCESS(READ)<br />
SETROPTS RACLIST(T<strong>CICS</strong>TRN) REFRESH<br />
Tip: Unlike signon capable terminals, we found that when using signon<br />
incapable EPI terminals, we also had to ensure the link user ID had READ<br />
access to the T<strong>CICS</strong>TRN profile protecting the EPIP and CTIN transactions.<br />
However, instead of creating another profile, we fixed this by making our<br />
systems equivalent, by setting the SECURITYNAME in the CONNECTION<br />
definition to be the same as the region user ID (SCSCPJA4), as shown in<br />
Figure 6-8.
Verifying EPI signon incapable security<br />
In Example 6-10, we show a successful call to EPIP using our signon incapable<br />
EPI application.<br />
Example 6-10 Successful test with signon incapable application<br />
C:\itsoctgv5\Java>java itso.cics.epi.SignonIncapable tcp:\\volga SC62PJA4<br />
<strong>CICS</strong>RS2 PASSWORD<br />
<strong>Gateway</strong> URL: tcp://volga/<br />
Region: SC62PJA4<br />
Userid: <strong>CICS</strong>RS2<br />
Password: PASSWORD<br />
Adding signon incapable terminal<br />
Netname: VOLG0015<br />
Starting EPIP<br />
Time : 18:02:40<br />
Date : 26/06/02<br />
Applid : SCSCPJA4<br />
Userid : <strong>CICS</strong>RS2<br />
Closing terminal and gateway<br />
Example 6-11 shows the result of an unauthorized user attempting to access our<br />
example. <strong>The</strong> JES SYSLOG (Example 6-12) shows <strong>CICS</strong>RS5 as failing in an<br />
attempt to access CTIN.<br />
Example 6-11 Security failure with SignonIncapable EPI test<br />
C:\itsoctgv5\Java>java itso.cics.epi.SignonCapable tcp:\\volga scscpja4 cicsrs5<br />
PASSWORD<br />
<strong>Gateway</strong> URL: tcp://volga/<br />
Region: SC62PJA4<br />
Userid: <strong>CICS</strong>RS5<br />
Password: PASSWORD<br />
Adding signon incapable terminal<br />
com.ibm.ctg.epi.EPIRequestException: CCL6799I: Return code EPI_ERR_SECURITY<br />
from EPIRequest.addExTerminal call.<br />
at com.ibm.ctg.epi.Terminal.flowConnect(Terminal.java:461)<br />
at com.ibm.ctg.epi.Terminal.connect(Terminal.java:420)<br />
at itso.cics.epi.SignonIncapable.main(SignonIncapable.java:105)<br />
Example 6-12 JES SYSLOG error for CTIN security violation<br />
18.04.27 STC22530 ICH408I USER(<strong>CICS</strong>RS5 ) GROUP(SYS1 ) NAME(<strong>CICS</strong>RS5 )<br />
950 SCSCPJA4.CTIN CL(T<strong>CICS</strong>TRN)<br />
950 INSUFFICIENT ACCESS AUTHORITY<br />
950 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE)<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 125
6.3 Problem determination<br />
6.3.1 Tips and utilities<br />
126 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
It is unlikely any implementation will be totally error free the first time you try<br />
things. In this section, we provide some hints and tips based on the experience<br />
we gained during this redbook project.<br />
In this section, we provide some useful commands and utilities for debugging<br />
problems with your configuration, as well as some additional information about<br />
topics discussed in this chapter.<br />
EXCI sign-on/sign-off message suppression<br />
When running any application that connects to <strong>CICS</strong> through the EXCI (such as<br />
the <strong>CICS</strong> TG for z/OS), <strong>CICS</strong> will write one DFHSN1400/DFHSN1500 message<br />
pair to the <strong>CICS</strong> joblog. With the <strong>CICS</strong> TG for z/OS, this will occur each time an<br />
ECI request is flowed to the <strong>CICS</strong> TG. It may be desirable to suppress these<br />
sign-on messages, since so many can be produced. This could be done either by<br />
making the system equivalent (specifying a link user ID on the <strong>CICS</strong> SESSIONS<br />
definition) or by using the <strong>CICS</strong> user exit XMEOUT. An assembler sample of this<br />
program can be found in SDFHSAMP(DFH$SXP1).<br />
Error messages<br />
<strong>The</strong>re are several pieces of software involved in securing <strong>CICS</strong> TG access to<br />
<strong>CICS</strong>. Because of this, error messages required for problem determination are<br />
seen in different locations. Below is a list of locations to look for error messages<br />
dealing with security problems:<br />
<strong>CICS</strong> MSGUSR DD This DD, located in the active <strong>CICS</strong> region, can provide<br />
error messages having to do with VTAM connections<br />
to <strong>CICS</strong>. This also shows many security errors not<br />
shown anywhere else.<br />
JES SYSLOG General security errors are displayed here. If you<br />
suspect a RACF error, search for the message<br />
ICH408.<br />
<strong>Gateway</strong> daemon trace This provides an indication of the errors the <strong>Gateway</strong><br />
daemon itself encounters.<br />
<strong>CICS</strong> TG JNI logs <strong>The</strong>se log files are automatically created in the<br />
$HOME/ibm/ctg directory and contain a log of all the<br />
EXCI errors received by the CTG JNI module.<br />
<strong>CICS</strong> TG JNI trace This provides tracing of the EXCI calls made by the<br />
<strong>CICS</strong> TG JNI module libCTGJNI.so, and can be very
useful in problem determination. This is a lower level of<br />
trace than the <strong>Gateway</strong> daemon trace. <strong>The</strong> logs are<br />
named after the pid number of the <strong>Gateway</strong> daemon<br />
process and so there is a unique log for each run of<br />
the <strong>CICS</strong> TG.<br />
Java client trace Turning on the Java client trace (in our case in the<br />
application EciB1) allows you to see the calls made to<br />
the <strong>CICS</strong> TG as well as the COMMAREA data.<br />
Also helpful in problem diagnosis is the echo command. Including the echo<br />
command in the ctgstart script can be useful to help display the contents of<br />
variables. For example the following statement will display the setting of<br />
AUTH_USERID_PASSWORD:<br />
echo AUTH_USERID_PASSWORD=$AUTH_USERID_PASSWORD<br />
User not defined to RACF<br />
Figure 6-13 is taken from the <strong>CICS</strong> MSGUSR DD. This shows user <strong>CICS</strong>RSX<br />
trying to access the system via IRP. <strong>CICS</strong>RSX is not defined to RACF.<br />
Example 6-13 ACF access denied, user ID not defined<br />
DFHSN1604 06/03/2002 22:55:33 SCSCPJA4 Attach header signon at terminal C31 by<br />
user <strong>CICS</strong>RSX has failed. SAF codes are (X'00000004',X'00000000'). ESM codes are<br />
(X'00000004',X'00000000').<br />
DFHAC2047 06/03/2002 22:55:33 SCSCPJA4 While performing an attach for node<br />
SCSCTG4 a security violation was detected.<br />
In looking up DFHSH1604, we are informed SAF/ESM codes may be found in<br />
External Security Interface (RACROUTE) Macro Reference for MVS,<br />
GC23-3733. This manual tells us the error code for a SAF rc=4 and RACF rc=4 is<br />
a user profile is not defined to RACF error. Of course, you could have<br />
determined this by looking in the SYSLOG.<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 127
128 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
ECI return codes<br />
<strong>The</strong> return codes for ECI calls, usually a negative number, can be found in the file<br />
header file cics_eci.h. This is not supplied on z/OS but can be found in the<br />
directory \ctg\include if using the <strong>CICS</strong> TG on Windows, AIX, Solaris, or OS/2. A<br />
summary of some common security errors we encountered is given below. For<br />
further details on errors with the <strong>CICS</strong> TG for z/OS, refer also to 7.4.1, “Tips and<br />
utilities” on page 164.<br />
ECI_ERR_INVALID_DATA_LENGTH -1<br />
This is a general error that notes that the <strong>CICS</strong> TG is unable to contact the <strong>CICS</strong><br />
region. When this happens, a JNI trace (detailed in “EXCI connections to <strong>CICS</strong>”<br />
chapter) is often helpful.<br />
<strong>The</strong> <strong>CICS</strong> TG JNI trace provides a UNIX errno return code. This is a standard<br />
UNIX style return code and on z/OS they are defined in the header file<br />
/usr/include/errno.h. In the following examples we show the JNI trace entry the<br />
errno.h entry and the actual reason we found for each error.<br />
► Errno 121<br />
JNI trace entry CCL6808I: CcicsECI: Authorize userid/password with<br />
RACF. Return code = -1, errno = 121.<br />
errno.h #define EINVAL 121 /* Invalid argument<br />
Reason SURROGATE=YES but user ID and password null<br />
► Errno 139<br />
JNI trace entry CCL6808I: CcicsECI: Authorise userid/password with<br />
RACF. Return code = -1, errno = 139.<br />
errno.h #define EPERM 139 /* Operation not permitted */<br />
Reason Security failure due to improper program control<br />
permissions<br />
► Errno 157<br />
JNI trace entry CCL6808I: CcicsECI: Authorize userid/password with<br />
RACF. Return code = -1, errno = 157.<br />
errno.h #define EMVSERR 157 /* A MVS internal error has<br />
occurred */<br />
Reason SURROGATE=YES and JAVA_PROPAGATE=YES
► Errno 163<br />
JNI trace entry CCL6808I: CcicsECI: Authorize userid/password with<br />
RACF. Return code = -1, errno = 163.<br />
errno.h #define EMVSSAFEXTRERR 163 /* SAF/RACF extract<br />
error */<br />
Reason SURROGATE=YES and unauthorized RACF ID used<br />
Tip: <strong>The</strong> errno diagnostic information should only be used if the return code is<br />
not equal to 0. In the errors above, the return code is -1.<br />
ECI_ERR_NO_<strong>CICS</strong> -3<br />
This error can occur because:<br />
► Inter-region communication (IRC) has not been started in the <strong>CICS</strong> region<br />
► <strong>The</strong> EXCI CONNECTION definition is not installed in the <strong>CICS</strong> region<br />
► <strong>The</strong> NETNAME in your EXCI connection does not match the value of the<br />
DFHJVPIPE variable referred to on the STDENV DD card in the <strong>CICS</strong> TG<br />
startup JCL.<br />
ECI_ERR_SYSTEM_ERROR -9<br />
This error generally implies that there is a problem with the EXCI communication<br />
mechanism. In our tests, we found this could be caused by two quite different<br />
situations:<br />
► Security attach failure for the mirror transaction<br />
If you are using security and the user ID flowed in the ECI request does not<br />
have READ access to the T<strong>CICS</strong>TRN class profile controlling access to the<br />
specified mirror transaction, then you will receive this error. If this is the case,<br />
you will also receive the error message ICH408I in the <strong>CICS</strong> job log. For<br />
details on configuring the required profiles, refer to “Access to the mirror<br />
transaction, CSMI” on page 109.<br />
► MRO bind security failure<br />
Access to DFHIRP is controlled by the DFHAPPL. and<br />
DFHAPPL. profiles in the RACF FACILITY class.<br />
If you do not permit your <strong>CICS</strong> TG for z/OS address space user ID to log on to<br />
IRP, you will receive the error seen in Example 6-14. This was captured from<br />
a JNI trace. Details on getting this trace can be found in “JNI trace” on<br />
page 176.<br />
Example 6-14 JNI trace of an unauthorized link<br />
Chapter 6. <strong>CICS</strong> TG security scenarios 129
130 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
EXCI function error. Function Call = 6, Response = 12, Reason = 414, Subreason<br />
field-1 = 0, subreason field-2 = 0, Cics_Rc = -9<br />
Error message from <strong>CICS</strong>: DFHAC2033 .<br />
When you look up the response code 12, reason code 414, you see this<br />
translates to the message - IRP_ABORT_RECEIVED. You can find this<br />
message in the <strong>CICS</strong> External Interfaces Guide, SC34-6006.<br />
ECI_ERR_SECURITY_ERROR -27<br />
This error can be caused by several different situations, including the following:<br />
► Surrogate security checking has failed. Check the MVS system console for<br />
RACF errors. For details on configuring surrogate security, refer to “Surrogate<br />
user security” on page 101.<br />
► <strong>The</strong> <strong>CICS</strong> TG failed to authenticate the user ID and password specified in the<br />
ECI call. If you do not wish to authenticate this user ID and password within<br />
the <strong>CICS</strong> TG, ensure the variable AUTH_USERID_PASSWORD is not set in<br />
any of the following locations:<br />
– ctgenvvar<br />
– STDENV input member<br />
– <strong>The</strong> .profile of the <strong>CICS</strong> TG started task<br />
– /etc/profile<br />
– ctgstart script<br />
► Program control should be enabled for SDFHEXCI. If this data set has an<br />
alias and you secure on the alias, you will see this error.
Part 3 <strong>Gateway</strong><br />
daemon<br />
scenarios<br />
Part 3<br />
In this section, we give details on how we configured the <strong>Gateway</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> daemon on Windows 2000, OS/390, and Linux, and how we configured<br />
TCP/IP or Secure Sockets Layer (SSL) connections to the <strong>Gateway</strong> daemon<br />
from a remote Java client.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 131
132 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 7. TCP connections to the<br />
<strong>Gateway</strong> daemon on z/OS<br />
7<br />
In this chapter, we describe how we installed and configured the <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) on z/OS, and how we connected to it using the<br />
<strong>CICS</strong> TG TCP protocol, from a Java client application running on UNIX System<br />
Services and Windows 2000.<br />
<strong>The</strong> <strong>CICS</strong> TG TCP protocol is a TCP/IP socket-based network protocol. It can be<br />
used by any remote Java application to communicate with the <strong>Gateway</strong> daemon.<br />
A UNIX daemon runs under UNIX System Services like a started task in MVS. In<br />
fact, the <strong>CICS</strong> TG daemon is started under an MVS started task in our<br />
implementation.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 133
7.1 Preparation<br />
134 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> following sections detail the software levels we used in our sample<br />
configuration and instructions on how we installed the <strong>CICS</strong> TG for z/OS.<br />
<strong>The</strong> communication protocol from the <strong>CICS</strong> TG for z/OS to the z/OS <strong>CICS</strong> region<br />
is External <strong>CICS</strong> Interface (EXCI). Because EXCI is complex enough to warrant<br />
its own chapter, we suggest you become familiar with Chapter 4, “EXCI<br />
connections to <strong>CICS</strong>” on page 65.<br />
Windows NT<br />
EciI1<br />
Java<br />
application<br />
IP network<br />
TCP/IP<br />
EciI1<br />
Figure 7-1 Software components: <strong>CICS</strong> TG for z/OS<br />
z/OS<br />
<strong>CICS</strong> TS<br />
EXCI<br />
<strong>CICS</strong><br />
<strong>Transaction</strong><br />
<strong>Gateway</strong><br />
daemon<br />
Java<br />
application<br />
UNIX<br />
System<br />
Services<br />
<strong>The</strong> <strong>CICS</strong> TG for z/OS runs in the z/OS UNIX System Services environment. As<br />
such, you will need a mix of traditional MVS skills and UNIX skills in order to<br />
install and to configure it. In this chapter, we introduce the <strong>CICS</strong> TG and the<br />
UNIX System Services environment from the point of view of a <strong>CICS</strong> systems<br />
programmer with MVS skills who wishes to administer the <strong>CICS</strong> TG for z/OS.
7.1.1 Software checklist<br />
We used the levels of software described in Table 7-1.<br />
Table 7-1 Software checklist: <strong>CICS</strong> TG z/OS<br />
Client workstation z/OS<br />
Windows 2000 Service Pack 2 z/OS V1.2<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for Windows<br />
<strong>V5</strong>.0.0<br />
7.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used in this scenario are summarized in Table 7-2. Before you<br />
configure the products, we recommend that you acquire definitions for each<br />
parameter listed.<br />
Table 7-2 Definitions checklist: <strong>CICS</strong> TG z/OS<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS<br />
<strong>V5</strong>.0.0<br />
<strong>IBM</strong> Java Development Kit V1.3.0 <strong>IBM</strong> Java Development Kit V1.3.1<br />
<strong>CICS</strong> TG for<br />
z/OS<br />
<strong>CICS</strong> <strong>Transaction</strong> Server Example<br />
<strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
hostname wtsc66oe.itso.ibm.com<br />
port 2006<br />
Job name SCSCTG5<br />
APPLID SCSCPJA1<br />
We had two TCP/IP stacks on our z/OS system: one for UNIX System Services<br />
and one for MVS. Most of our work was done with the UNIX System Services<br />
stack, primarily for FTP and the <strong>CICS</strong> TG for z/OS TCP/IP stack.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 135
7.1.3 <strong>CICS</strong> configuration<br />
136 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
While a great deal of our configuration has to do with setting up the <strong>CICS</strong> TG for<br />
z/OS, there are also <strong>CICS</strong> tasks that need to be performed.<br />
Set up an EXCI connection<br />
<strong>The</strong> <strong>CICS</strong> TG for z/OS uses the External <strong>CICS</strong> Interface (EXCI) protocol to<br />
communicate with <strong>CICS</strong>. EXCI is detailed in Chapter 4, “EXCI connections to<br />
<strong>CICS</strong>” on page 65 and shows how to set up the connections to your <strong>CICS</strong> region.<br />
Compile and install the sample programs<br />
We compiled the sample <strong>CICS</strong> COBOL programs, EC01 and EC02, and installed<br />
them in our <strong>CICS</strong> regions. <strong>The</strong>se programs are provided with the <strong>CICS</strong> TG in the<br />
/usr/lpp/ctg500/ctg/samples/server directory. We copied them to our source<br />
library, compiled them, and put the load module in our <strong>CICS</strong> load library.<br />
Edit and assemble DFHCNV<br />
As we will be running our Java applications on Windows or UNIX System<br />
Services (both of which are ASCII environments), we will need to convert the<br />
EBCDIC <strong>CICS</strong> output to ASCII. To do this, we created a DFHCNV entry for EC01<br />
and EC02 in our <strong>CICS</strong> DFHCNV table. This meant that <strong>CICS</strong> would convert the<br />
input for these programs from ASCII to EBCDIC, and the output from EBCDIC to<br />
ASCII. For further details on using DFHCNV, refer to Appendix A, “DFHCNV and<br />
<strong>CICS</strong> data conversion” on page 329.<br />
7.1.4 Installation of the <strong>CICS</strong> TG<br />
<strong>The</strong> following section details how we installed the <strong>CICS</strong> TG on our z/OS system.<br />
Transferring the <strong>CICS</strong> TG files to z/OS<br />
<strong>The</strong> <strong>CICS</strong> TG for z/OS <strong>V5</strong>.0.0 is supplied on a CD-ROM in the directory<br />
x:\GATEWAYS\OS390\ctg-500m.tar.Z. We transferred it from Windows to our<br />
z/OS system in binary mode using the File Transfer Protocol (FTP).<br />
We used the UNIX System Services FTP started task to upload the file directly<br />
into the /tmp HFS directory on our z/OS system. Example 7-1 on page 137<br />
shows the output of our FTP session. We used binary mode for the transfer,<br />
since we did not want FTP to perform data conversion on the tar archive.
Example 7-1 Using FTP to send the z/OS gateway to the /tmp= directory<br />
C:\>ftp wtsc66oe.itso.ibm.com<br />
Connected to wtsc66oe.itso.ibm.com.<br />
220-FTPDOE1 <strong>IBM</strong> FTP CS V1R2 at wtsc66oe.itso.ibm.com, 18:50:46 on 2002-06-13.<br />
220 Connection will not timeout.<br />
User (wtsc66oe.itso.ibm.com:(none)): cicsrs2<br />
331 Send password please.<br />
Password:<br />
230 <strong>CICS</strong>RS2 is logged on. Working directory is "/u/cicsrs2".<br />
ftp> cd /tmp<br />
250 HFS directory /tmp is the current working directory<br />
ftp> lcd d:\gateways\os390<br />
Local directory now D:\gateways\OS390.<br />
ftp> bin<br />
200 Representation type is Image<br />
ftp> put ctg-500m.tar.Z<br />
200 Port request OK.<br />
125 Storing data set /tmp/ctg-500m.tar.Z<br />
250 Transfer completed successfully.<br />
ftp: 21256941 bytes sent in 60.14Seconds 353.48Kbytes/sec.<br />
ftp> quit<br />
221 Quit command received. Goodbye.<br />
Tip: If you only have an MVS FTP server, you can FTP the <strong>CICS</strong> TG tar file to<br />
an MVS data set name using a binary transfer. <strong>The</strong> record format of the MVS<br />
data set is not important, but it should be allocated with at least 30 cylinders.<br />
Once the <strong>CICS</strong> TG compressed file is in an MVS data set, you can move it<br />
over to UNIX System Services using one of the following methods:<br />
Using ISHELL Use File -> New and File -> Replace From<br />
Using UNIX System Services Use the command tso oget<br />
Using TSO Use the command TSO OPUT<br />
Using batch TSO Use OPUT<br />
Again, regardless of which method you use, you should specify binary format.<br />
Once the <strong>CICS</strong> TG install archive was in the UNIX System Services /tmp<br />
directory, we created an environment where we could install the <strong>CICS</strong> TG for<br />
z/OS. Many of these tasks can also be performed by running the JCL found in<br />
/usr/lpp/ctg500/ctg/samples/jcl. <strong>The</strong> file /usr/lpp/ctg500/ctg/samples/samples.txt<br />
explains the members in this directory.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 137
138 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
To create our environment, we performed the following steps.<br />
HFS data set creation<br />
We created a new HFS and mounted it at the directory /usr/lpp/ctg500, where we<br />
installed the <strong>CICS</strong> TG code.<br />
To set up an HFS, you can allocate it using either ISPF option 3.2, an IEFBR14<br />
batch job, or through the ISHELL menus. You should make sure that the storage<br />
class with which your file is allocated has the GUARANTEED SPACE attribute.<br />
For our /usr/lpp/ctg500 directory we created a data set with a data set name of<br />
CTGUSER.CTG500.HFS. Figure 7-2 shows how we set up our HFS using TSO<br />
option 3.2.<br />
Figure 7-2 ISPF display of the CTGUSER.CTG500.HFS data set<br />
Once the HFS data set has been allocated, you must mount it at an HFS<br />
directory, known as a mount point, with a TSO MOUNT command or by using<br />
Option 3 from the ISHELL File_systems menu. <strong>The</strong> mount point should be an<br />
empty directory; otherwise its contents will be hidden (but not deleted).<br />
We created our directory in OMVS using superuser authority as shown in<br />
Example 7-2 on page 139. First we changed to the /usr/lpp directory and issued
the su command to switch users to the superuser. Next we made our ctg500<br />
directory and listed it with the ls command.<br />
Example 7-2 Creating a mount point directory<br />
$ SC66¨ /u/cicsrs2: cd /usr/lpp<br />
$ SC66¨ /usr/lpp: su<br />
$ SC66¨ /usr/lpp: mkdir ctg500<br />
$ SC66¨ /usr/lpp: ls -l ctg500<br />
drwxrwxrwx 2 AAAAAAA OMVSGRP 8192 Jun 20 10:27 ctg500/<br />
After creating the /usr/lpp/ctg500 directory, we mounted our HFS onto this<br />
using the ISHELL File_systems menu (Figure 7-3).<br />
Figure 7-3 ISHELL, Mount a File System screen<br />
If you want your mounted HFS file systems to be available when your z/OS<br />
system is initial program loaded, you will need to add MOUNT statements to your<br />
BPXPRMxx parameters in SYS1.PARMLIB. For example these are the<br />
parameters we added to our z/OS system for our /usr/lpp/ctg500 HFS:<br />
MOUNT FILESYSTEM(‘CTGUSER.CTG500.HFS’) TYPE(HFS)<br />
MOUNTPOINT(‘usr/lpp/ctg500’) MODE(RDWR)<br />
Unpacking the <strong>CICS</strong> TG filesets<br />
Once we had created the /usr/lpp/ctg500 HFS, we uncompressed the <strong>CICS</strong> TG<br />
tar archive. From OMVS, we uncompressed the tar archive using the UNIX<br />
uncompress command as follows:<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 139
140 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
cd /tmp<br />
uncompress -v /tmp/ctg-500m.tar.Z<br />
This created an uncompressed tar archive file, ctg-500m.tar (without the “.Z”<br />
suffix), in the /tmp directory. We unpacked this archive into the new<br />
/usr/lpp/ctg500 directory using the tar command:<br />
cd /usr/lpp/ctg500<br />
tar -xopfv /tmp/ctg-500m.tar<br />
This created the appropriate subdirectories and installed the <strong>CICS</strong> TG into the<br />
/usr/lpp/ctg500 directory.<br />
For reference, the options on the tar command are as follows:<br />
o: Does not restore the files with the original owner and group IDs,<br />
but instead uses the owner and group of the current logged-in<br />
user. This is important, since the original owner of the files will<br />
not be known on your z/OS UNIX System Services.<br />
p: Restores the files with the high-order file permission bits<br />
(set-user-ID, set-group-ID, and sticky bit).<br />
f: Specifies file name of the input tar archive file.<br />
v: Specifies verbose messages.<br />
Running the <strong>CICS</strong> TG install script<br />
We ran the next section in TSO OMVS, which is probably more familiar to <strong>CICS</strong><br />
systems programmers than a telnet session to UNIX System Services.<br />
In the /user/lpp/ctg500 directory, the ls -l command showed the following files:<br />
drwxr-xr-x 9 AAAAAAA SYS1 8192 Jun 21 00:04 ctg/<br />
-rwxr-xr-x 1 AAAAAAA SYS1 66 Jun 21 00:05 ctg_install<br />
-rwxr-xr-x 1 AAAAAAA SYS1 20 Jun 21 00:07 ctginstall<br />
-rw-r--r-- 1 AAAAAAA SYS1 1880 Jun 21 00:05 ctginstall.readme<br />
-rwxr-xr-x 1 AAAAAAA SYS1 28 Jun 21 00:07 ctginstall_<strong>IBM</strong>-930<br />
-rwxr-xr-x 1 AAAAAAA SYS1 28 Jun 21 00:07 ctginstall_<strong>IBM</strong>-935<br />
-rwxr-xr-x 1 AAAAAAA SYS1 28 Jun 21 00:07 ctginstall_<strong>IBM</strong>-937<br />
-rwxr-xr-x 1 AAAAAAA SYS1 28 Jun 21 00:07 ctginstall_<strong>IBM</strong>-939<br />
You will need to run the ctginstall script to install the <strong>CICS</strong> TG. If you have<br />
problems reading the license agreement, you can enter ctginstall 64. You are<br />
presented with a page of licensing agreements. Enter 3 to accept the agreement<br />
and complete the installation. A partial listing of the installation process is shown<br />
in Example 7-3 on page 141.
Tip: When running ctginstall under TSO OMVS, at some point you will<br />
probably see INPUT in the lower right-hand corner of your screen. This means<br />
OMVS has put your terminal to sleep. Press PF10 to refresh the screen.<br />
Example 7-3 <strong>CICS</strong> TG install script<br />
<strong>CICS</strong>RS2 @ SC66:/usr/lpp/ctg500>ctginstall<br />
To install <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> you must accept the following license<br />
agreement. If the license file does not display correctly, try restarting<br />
the installation using the command:<br />
'/usr/lpp/ctg500/ctg/bin/ctgsetup 64'.<br />
Enter 1 to view the license, or 2 to quit.<br />
1<br />
>>> Beginning of the License File >>><br />
International Program License Agreement<br />
Part 1 - General Terms<br />
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE PROGRAM. <strong>IBM</strong> WILL LICENSE<br />
THE PROGRAM TO YOU ONLY IF YOU FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY<br />
USING THE PROGRAM YOU AGREE TO THESE TERMS. IF YOU DO NOT AGREE TO THE TERMS OF<br />
THIS AGREEMENT, PROMPTLY RETURN THE UNUSED PROGRAM TO THE PARTY (EITHER <strong>IBM</strong> OR<br />
ITS RESELLER) FROM WHOM YOU ACQUIRED IT TO RECEIVE A REFUND OF THE AMOUNT YOU<br />
PAID.<br />
______________________________________________________________________________<br />
Enter 1 to page down, 2 to page up, 3 to accept or 4 to decline.<br />
===> 3<br />
You have accepted the license agreement.<br />
Wait while the installation continues.<br />
<strong>The</strong> installation is complete.<br />
License files can be viewed using the command:<br />
'/usr/lpp/ctg500/ctg/bin/ctgbrowse'<br />
To view the PDF documentation, you should obtain a copy of Adobe Acrobat Reader<br />
from www.adobe.com. Now create 'CTG.INI' and 'ctgenvvar' by copying<br />
'CTGSAMP.INI' and 'ctgenvvarsamp' and editing them to configure the <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong>.<br />
===> INPUT<br />
<strong>The</strong> result of our <strong>CICS</strong> TG install was the directory structure shown in Figure 7-4<br />
on page 142.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 141
142 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
.<br />
/usr/lpp/ctg<br />
bin<br />
resource ctgcfg resources<br />
classes CTG Java class library<br />
docs CTG documentation<br />
samples<br />
Installation directory<br />
executables<br />
deployable J2EE RAR files<br />
java<br />
com<br />
ibm<br />
server<br />
<strong>CICS</strong> COBOL<br />
source code<br />
ctg<br />
Figure 7-4 <strong>CICS</strong> TG z/OS directory structure<br />
CTGSAMP.INI<br />
ctgenvvar<br />
ctgikey<br />
ctgcfg<br />
ctgstart<br />
libCTGJNI.so<br />
libCTGJNI_g.so<br />
SECURES<br />
ctgclient.jar<br />
ctgserver.jar<br />
ctgsamples.jar<br />
ctgadmin.jar<br />
cicsj2ee.jar<br />
ccf2.jar<br />
connector.jar<br />
samples<br />
security Security exit samples<br />
test EciI1 and EciB1 samples<br />
j2ee J2EE samples<br />
<strong>The</strong> directory /usr/lpp/ctg500/ctg/bin contains the following files, all of which can<br />
be browsed using TSO OBROWSE or ISHELL. <strong>The</strong> other files in the directory are<br />
executables and cannot be viewed.<br />
CTGSAMP.INI Sample CTG.INI configuration file.<br />
ctgenvvar Environment variables (created during a later step from<br />
ctgenvvarsamp)<br />
ctgcfg Shell script to start <strong>CICS</strong> TG X-Windows graphical<br />
Configuration Tool.<br />
libCTGJNI.so Shared library called by the <strong>CICS</strong> TG (using the JNI) to<br />
invoke the EXCI.<br />
ctgstart Shell script to start the <strong>Gateway</strong> daemon.<br />
<strong>The</strong> /usr/lpp/ctg500/ctg/classes directory contains the following JAR files:<br />
ctgclient.jar Java class library<br />
ctgserver.jar Classes for use by <strong>Gateway</strong> daemon<br />
ctgsamples.jar Samples<br />
ctgadmin.jar Trace admin client<br />
cicsj2ee.jar, ccf2.jar, connector.jar J2EE classes
Tip: <strong>The</strong> contents of a JAR or zip file can be listed with the UNIX System<br />
Services command:<br />
jar -tvf <br />
Basic security considerations<br />
Before we started our <strong>CICS</strong> TG started task, we had to set up basic RACF<br />
security. <strong>The</strong>se are the required RACF tasks related to enable the <strong>CICS</strong> TG:<br />
► Enable RACF program control checking<br />
► Define the SDFHEXCI library as program controlled to RACF<br />
► Allow the <strong>CICS</strong> TG user ID read access to program-controlled libraries<br />
► Remove address space sharing from ctgstart using extattr -s<br />
► Create a user ID for the <strong>CICS</strong> TG and assign it to our started task name<br />
► Mark UNIX System Services programs as program controlled with the<br />
extattr +p command<br />
<strong>The</strong>se tasks will allow the most basic RACF security permissions. For a more<br />
secure environment, see Chapter 6, “<strong>CICS</strong> TG security scenarios” on page 99.<br />
Enable RACF program control checking<br />
To use RACF security functions within the <strong>CICS</strong> TG, all data sets, or HFS files,<br />
the <strong>CICS</strong> TG uses must be marked as program controlled. In the UNIX System<br />
Services context, program control allows RACF to secure UNIX System Services<br />
executables as if they were MVS programs.<br />
Before marking data sets and UNIX System Services executables as program<br />
control, we have to turn on program control in RACF. We activated program<br />
control by issuing these commands from a user ID with RACF SPECIAL<br />
authority:<br />
SETROPTS CLASSACT(PROGRAM)<br />
RDEFINE PROGRAM *UACC(READ)<br />
SETROPTS WHEN(PROGRAM)<br />
Define the SDFHEXCI library as program controlled to RACF<br />
Since the <strong>CICS</strong> TG runs from UNIX System Services program controlled<br />
executables, any MVS library the <strong>CICS</strong> TG accesses must also be program<br />
controlled. This includes the SDFHEXCI library which can be marked as program<br />
controlled with the following RACF command:<br />
RALTER PROGRAM * ADDMEM(‘<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI’//NOPADCHK)<br />
SETROPTS WHEN(PROGRAM) REFRESH<br />
We encountered a problem with program control on this library. This problem<br />
may have been specific to our site, but bears mentioning. <strong>The</strong> SDFHEXCI library<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 143
144 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
specified in the <strong>CICS</strong> TG started task and in the <strong>CICS</strong> region was an alias.<br />
Security failed when the <strong>CICS</strong> TG accessed the actual data set name. Defining<br />
the actual data set name solved our problem.<br />
We also had a problem when running with security enabled on the <strong>CICS</strong> TG. <strong>The</strong><br />
EciI1 example would give us dirty address space errors when attempting to<br />
access module DFHXCSVC in the SDHFLINK library. Marking<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHLINK as program controlled solved this problem.<br />
Allow read access to program controlled libraries<br />
If your z/OS system has defined the BPX.SERVER FACILITY class profile within<br />
RACF, then the user ID under which the <strong>Gateway</strong> daemon runs must be<br />
permitted to this profile. <strong>The</strong> following example shows the PERMIT command<br />
assuming the user ID of the server is CTGUSER:<br />
PERMIT BPX.SERVER CLASS(FACILITY) ID(CTGUSER) ACCESS(READ)<br />
PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ID(CTGUSER) ACCESS(READ)<br />
If the BPX.SERVER FACILITY class is not defined, the <strong>CICS</strong> TG user ID must be<br />
defined with a UID of 0 (that is, be a root user).<br />
Remove address space sharing from ctgstart<br />
We specified that the ctgstart script should not share its address space with any<br />
other processes. This is to ensure that the calling address space is not<br />
contaminated by a non-program-controlled load module. To force the JVM to use<br />
its own non-shareable address, we used the following UNIX System Services<br />
command:<br />
extattr -s /usr/lpp/ctg500/bin/ctgstart<br />
This command should be performed from the owner ID or superuser.<br />
Example 7-4 on page 145 shows the result of this command. <strong>The</strong> ctgstart<br />
module does not have an “s” in the second column, which is the desired effect of<br />
the above command.<br />
<strong>CICS</strong> TG started task user ID<br />
We ran our <strong>CICS</strong> TG as a started task, using the user ID CTGUSER. <strong>The</strong> user ID<br />
under which the <strong>CICS</strong> TG started task runs should:<br />
► Have an OMVS segment defined<br />
► Be in a group that has an OMVS segment<br />
► Be defined without a password<br />
► Have READ access to the RACF profile that protects the<br />
TCPIP.STANDARD.TCPXLBIN data set. This data set contains translate<br />
tables for translating from ASCII to EBCDIC and from EBCDIC to ASCII.
<strong>The</strong>re are two methods of defining a default user ID to a started task:<br />
► Use the RACF exit - ICHRIN03<br />
► Use the STARTED class in RACF. <strong>The</strong> following example shows the user ID<br />
CTGUSER, in the <strong>CICS</strong> group, being assigned as the user ID for all<br />
SCSCTG* tasks:<br />
RDEF STARTED SCSCTG*.* STDATA(USER(CTGUSER) GROUP(<strong>CICS</strong>) PRIVILEGED(NO)<br />
TRUSTED(NO))<br />
More information can be found in the RACF Systems Programmer’s Guide,<br />
SC28-1913.<br />
Program control<br />
To use RACF security functions within the <strong>CICS</strong> TG, all data sets, or HFS files,<br />
the <strong>CICS</strong> TG uses must be marked as program controlled. In the UNIX System<br />
Services context, program control allows RACF to secure UNIX System Services<br />
executables as if they were MVS programs. If you have not turned on program<br />
control for the required data sets, you will probably get 02AF (address bit dirty)<br />
abends.<br />
<strong>The</strong> UNIX System Services command extattr +p is then used to mark UNIX<br />
System Services files as program controlled. You need to be the superuser to<br />
modify the file permissions, so it is best to issue the extattr command as<br />
superuser.<br />
<strong>The</strong>se commands mark the <strong>CICS</strong> TG files as program controlled:<br />
extattr +p /usr/lpp/ctg500/ctg/bin/lib*.so<br />
extattr +p /usr/lpp/ctg500/ctg/bin/SECURES<br />
<strong>The</strong> following command marks Java files that the <strong>CICS</strong> TG requires to be<br />
program controlled:<br />
extattr +p /usr/lpp/java/<strong>IBM</strong>/J1.3/bin/*<br />
To verify the program control commands worked, you can issue the ls -E<br />
command from a UNIX System Services shell. Example 7-4 is an example of the<br />
output of this command. <strong>The</strong> -p in the second column shows that program<br />
control is set.<br />
Example 7-4 <strong>CICS</strong> TG program controlled files<br />
<strong>CICS</strong>RS2 @ SC66:/usr/lpp/ctg500/ctg/bin>ls -E<br />
total 20072<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 84990 Jun 21 00:04 CTGLOG.HLP<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 57410 Jun 25 12:18 CTGMSG.HLP<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 12662 Jun 21 00:04 CTGSAMP.INI<br />
-rwxr-xr-x -ps- 1 CTGUSER SYS1 139264 Jun 21 00:04 SECURES<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 145
7.2 Configuration<br />
146 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
-rwxr-xr-x a-s- 1 CTGUSER SYS1 12288 Jun 21 00:04 ctgarm<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 31097 Jun 21 00:04 ctgbrowse<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 34026 Jun 21 00:04 ctgcfg<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 27533 Jun 21 00:04 ctgdoc<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 923 Jun 25 14:26 ctgenvvar<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 5958 Jun 21 00:04 ctgenvvarsamp<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 36366 Jun 21 00:04 ctgikey<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 48936 Jun 21 00:04 ctgmsgs<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 40069 Jun 21 00:06 ctgsetup<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 40069 Jun 21 00:06 ctgsetup_<strong>IBM</strong>-930<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 40069 Jun 21 00:06 ctgsetup_<strong>IBM</strong>-935<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 40069 Jun 21 00:06 ctgsetup_<strong>IBM</strong>-937<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 40069 Jun 21 00:06 ctgsetup_<strong>IBM</strong>-939<br />
-rwxr-xr-x ---- 1 CTGUSER SYS1 36854 Jun 25 15:00 ctgstart<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 31075 Jun 21 00:04 ctguninst<br />
-rwxr-xr-x -ps- 1 CTGUSER SYS1 348160 Jun 21 00:04 libCTGJNI.so<br />
-rwxr-xr-x -ps- 1 CTGUSER SYS1 348160 Jun 21 00:04 libCTGJNI_g.so<br />
-rwxr-xr-x -ps- 1 CTGUSER SYS1 180224 Jun 21 00:04 libSSLSocketLib.so<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 2349 Jun 21 00:04 oldctgcfg<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 4088 Jun 21 00:04 oldctgikey<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 6040 Jun 21 00:04 oldctgstart<br />
-rwxr-xr-x --s- 1 CTGUSER SYS1 1929 Jun 21 00:04 readme.txt<br />
drwxr-xr-x 11 CTGUSER SYS1 8192 Jun 21 00:04 resource<br />
In this section, we explain how we configured the <strong>CICS</strong> TG daemon to be started<br />
as a started task and to listen for incoming ECI requests on a given TCP/IP port.<br />
We used the name SCSCTG5 for our <strong>CICS</strong> TG.<br />
1. We created a HFS working directory for our <strong>CICS</strong> TG SCSCTG5 and its log<br />
files called /ctg/scsctg5/logs. To do this we used the same procedure as used<br />
for creating the /usr/lpp/ctg500 HFS outlined in “HFS data set creation” on<br />
page 138. This enabled us to separate our <strong>CICS</strong> TG log files from the product<br />
install files and thus prevented the possibility that the /usr/lpp/ctg500 HFS<br />
could become full due to trace output.<br />
2. We copied the sample configuration file /usr/lpp/ctg500/ctg/CTGSAMP.INI to<br />
/ctg/scsctg5/CTG.INI.<br />
3. We activated the <strong>CICS</strong> TG TCP protocol handler by uncommenting the lines<br />
in CTG.INI as shown in Example 7-5 on page 147. <strong>The</strong> continuation character<br />
in this file is a backslash.
Example 7-5 TCP protocol handler<br />
SECTION GATEWAY<br />
closetimeout=10000<br />
ecigenericreplies=off<br />
initconnect=10<br />
initworker=10<br />
maxconnect=90<br />
maxworker=90<br />
noinput=off<br />
nonames=on<br />
notime=off<br />
workertimeout=10000<br />
protocol@admin.handler=com.ibm.ctg.server.RestrictedTCPHandler<br />
protocol@admin.parameters=port=2810;\<br />
sotimeout=1000;connecttimeout=2000; idletimeout=600000;\<br />
pingfrequency=60000;maxconn=5;<br />
# allowaddr=127.0.0.1;<br />
protocol@tcp.handler=com.ibm.ctg.server.TCPHandler<br />
protocol@tcp.parameters=connecttimeout=2000;idletimeout=600000;\<br />
pingfrequency=60000;port=2006;solinger=0;sotimeout=1000;<br />
ENDSECTION<br />
<strong>The</strong> TCP/IP port 2006 is the default port for the TCP/IP listener and, since no<br />
other <strong>Gateway</strong> daemons were running in the LPAR, we used this value.<br />
We set up the administration client so that we can control the traces<br />
dynamically. <strong>The</strong>re was no other administration client, so we kept the default<br />
port of 2810.<br />
4. Next, we created the JCL to allow us to start the <strong>CICS</strong> TG as an MVS started<br />
task (Example 7-6).<br />
Example 7-6 JCL for <strong>CICS</strong> TG started task<br />
//SCSCTG5 EXEC PGM=BPXBATCH,REGION=0M,<br />
// PARM='SH /usr/lpp/ctg500/ctg/bin/ctgstart -noinput'<br />
//STEPLIB DD DSN=<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI,DISP=SHR<br />
//STDIN DD PATH='/dev/null',PATHOPTS=(ORDONLY)<br />
//STDOUT DD PATH='/ctg/scsctg5/logs/ctg.stdout',<br />
// PATHOPTS=(OWRONLY,OCREAT,OAPPEND),<br />
// PATHMODE=(SIRWXU,SIRWXG,SIROTH)<br />
//STDERR DD PATH='/ctg/scsctg5/logs/ctg.stderr',<br />
// PATHOPTS=(OWRONLY,OCREAT,OAPPEND),<br />
// PATHMODE=(SIRWXU,SIRWXG,SIROTH)<br />
//STDENV DD DSN=ESA.SYS1.PROCLIB(CTG5ENV),DISP=SHR<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 147
148 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
BPXBATCH is the MVS program that runs a UNIX System Services script as a<br />
batch job. <strong>The</strong> PARM field specifies that the shell (SH) is to execute the specified<br />
ctgstart command with the -noinput option.<br />
We directed the STDOUT and STDERR files to a location different from the base<br />
<strong>CICS</strong> TG software. This allowed us to manage the logs in a different directory,<br />
and in this case, an entirely different HFS data set.<br />
<strong>The</strong> STDENV DD points to a PDS member. You can administer the parameters<br />
from TSO, which is easier for <strong>CICS</strong> systems programmers. <strong>The</strong> concatenation<br />
sequence for ctgstart, ctgenvvar, and STDENV DD are noted in 7.2.2, “Defining<br />
<strong>CICS</strong> TG configuration parameters” on page 153.<br />
PATHOPTS on the HFS file specification is similar to the JCL DISP parameter,<br />
and PATHMODE determines UNIX file permissions for the file.<br />
7.2.1 Defining <strong>CICS</strong> TG environmental variables<br />
Environment variables passed from BPXBATCH to the <strong>Gateway</strong> daemon can be<br />
set in one of the following three ways:<br />
► Within the JCL using a partitioned data set (PDS) referenced by the STDENV<br />
DD card.<br />
► Using the ctgenvvar HFS file.<br />
► Within the shell environment of the started task user ID.<br />
<strong>The</strong> UNIX search order for environment variables used by BPXBATCH is as<br />
follows:<br />
1. Variables found in the /usr/lpp/ctg500/ctg/bin/ctgenvvar file take precedence.<br />
2. Variables are next taken from the UNIX System Services shell environment<br />
(BPXBATCH) in which ctgstart runs. <strong>The</strong> order of precedence is as follows:<br />
a. Variables taken from the .profile of the started task user ID<br />
b. Variables taken from the default user profile /etc/profile<br />
c. Variables taken from STDENV member passed to BPXBATCH<br />
This is summarized in Figure 7-5.
Yes<br />
Use the<br />
setting for<br />
this variable<br />
Yes<br />
Use the<br />
setting for<br />
this variable<br />
Set in<br />
ctgenvvar?<br />
Figure 7-5 Concatenation sequence for <strong>CICS</strong> TG variables<br />
No<br />
Set in<br />
started task<br />
user<br />
.profile?<br />
No<br />
We spent most of our time in TSO, and to ease maintenance we set most of our<br />
variables in the STDENV member defined in the <strong>CICS</strong> TG started task. To<br />
ensure these variables were not overridden, we also checked the variables were<br />
not set in the files: ctgenvvar, /etc/profile or /u/ctguser/.profile.<br />
Note: In versions of the <strong>CICS</strong> TG prior to <strong>V5</strong>.00, environment variables could<br />
also be set in the ctgstart script itself. This is not recommended and you<br />
should note that the code to allow this has now been removed from ctgstart.<br />
<strong>The</strong> STDENV library member (Example 7-7) contained our environment<br />
variables to be passed to the ctgstart script.<br />
Example 7-7 <strong>CICS</strong> TG STDENV member<br />
DFHJVPIPE=SCSCTG5<br />
DFHJVSYSTEM_00=SCSCPJA1 - <strong>CICS</strong>TS 2.2<br />
DFHJVSYSTEM_01=SCSCPJA2 - <strong>CICS</strong>TS 2.2<br />
EXCI_LOADLIB=<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI<br />
Yes<br />
Use the<br />
setting for<br />
this variable<br />
Set in<br />
/etc/profile<br />
No<br />
Set in<br />
started<br />
task<br />
STDENV?<br />
Yes<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 149<br />
No<br />
Use the<br />
setting for<br />
this variable<br />
Variable not<br />
set
150 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>CICS</strong>CLI=/ctg/scsctg5/CTG.INI<br />
CTG_RRMNAME=CCL.CTG.<strong>IBM</strong>.UA<br />
CTGSTART_HOME=/usr/lpp/ctg500/ctg/bin<br />
<strong>The</strong> <strong>CICS</strong> TG <strong>V5</strong> supplies a new and somewhat complex ctgenvvarsamp file as a<br />
sample of the ctgenvvar file used for controlling of environment variables. This<br />
new ctgenvvar will override variables set in other places, such as STDENV. To<br />
understand this new ctgenvvar file, you will need to be familiar with UNIX System<br />
Services and Korn shell scripting. If you are not, we suggest you use a simple<br />
version, such as the one we used (shown in Example 7-8), which does not<br />
override variables set in other places.<br />
Example 7-8 ctgenvvar<br />
CTG_CLASSPATH="${CTGSTART_HOME}/../classes/ctgclient.jar:${CTGSTART_HOME}/../cl<br />
asses/ctgserver.jar:${CTGSTART_HOME}/../classes/cfwk.zip:${CTGSTART_HOME}/../cl<br />
asses/ctgsamples.jar"<br />
CTG_LIBPATH="${CTGSTART_HOME}"<br />
export STEPLIB=${STEPLIB}:${EXCI_OPTIONS}:${EXCI_LOADLIB}<br />
export CLASSPATH=${CTG_USER_CLASSPATH}:${CTG_CLASSPATH}:$CLASSPATH<br />
export LIBPATH=${CTG_USER_LIBPATH}:${CTG_LIBPATH}:$LIBPATH<br />
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${CTG_USER_LIBPATH}:${CTG_LIBPATH}<br />
export PATH=.:/bin:/usr/lpp/java213/J1.3/bin<br />
export JAVA_HOME=/usr/lpp/java213/J1.3<br />
Following is a summary of the variables you are likely to have to set:<br />
► DFHJVPIPE<br />
<strong>The</strong> value specified here should match the NETNAME in the <strong>CICS</strong> connection<br />
definition to be used for an EXCI connection using a specific pipe. <strong>The</strong> default<br />
connection name in the <strong>IBM</strong>-supplied group DFH$EXCI is EXCS, which has a<br />
NETNAME of BATCHCLI. We created our own connection definition, and<br />
used a NETNAME of SCSCTG5.<br />
► DFHJVSYSTEM<br />
<strong>The</strong> syntax of this variable is DFHJVSYSTEM_nn=aaaaaaaa literal, where:<br />
– nn = 0 to 99<br />
– aaaaaaaa = the APPLID of the <strong>CICS</strong> region<br />
– literal = a description of the <strong>CICS</strong> region<br />
Note the setting of this variable is optional, and only affects the result of the<br />
ECIRequest.listSystems() method and does not affect which <strong>CICS</strong> regions<br />
you can connect to.
► AUTH_USERID_PASSWORD<br />
This operand determines whether the user ID and password sent on an ECI<br />
call should be verified by RACF before the EXCI call is made. <strong>The</strong> default is<br />
YES. We did not wish to flow user IDs on the ECI calls in our tests, and<br />
therefore left this line commented out in our ctgstart script, ctgenvvar &<br />
STDENV member.<br />
Tip: <strong>The</strong> way <strong>CICS</strong> TG checks AUTH_USERID_PASSWORD is unusual.<br />
While MVS checks to see the contents of a variable, the <strong>CICS</strong> TG ignores the<br />
contents of this variable and merely checks if it is null or not null.<br />
AUTH_USERID_PASSWORD can be YES, NO, or REDRUM and it is still<br />
considered set (not null).<br />
To unset a variable, comment it out in ctgenvvar and your STDENV member,<br />
and make sure it is not set in /etc/profile or the .profile of the user ID under<br />
which the <strong>CICS</strong> TG is running.<br />
► EXCI_LOADLIB<br />
This is the name of the library containing the EXCI load modules, without its<br />
high-level qualifier. This will usually be SDFHEXCI, and so does not usually<br />
need modifying.<br />
► EXCI_OPTIONS<br />
This is a user library that contains the EXCI options to be used if you have a<br />
tailored version of the EXCI options table (DFHXCOPT). For more details,<br />
refer to Chapter 6, “<strong>CICS</strong> TG security scenarios” on page 99.<br />
► HLQ<br />
This is the high-level qualifier for the library specified in EXCI_LOADLIB. If<br />
you do not have your <strong>CICS</strong> installation image in the default location<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>, then you will need to modify this statement.<br />
► <strong>CICS</strong>CLI<br />
You can specify a different path to the configuration file by setting the location<br />
of CTG.INI. This variable is instrumental in running multiple <strong>CICS</strong> TG started<br />
tasks.<br />
You will note in our example that we point the <strong>CICS</strong> TG to a directory specific<br />
to the started task. This allows each <strong>CICS</strong> TG started task to have its own<br />
CTG.INI.<br />
► CTG_CLASSPATH<br />
This controls the classpath used by the <strong>Gateway</strong> daemon. It is best set in<br />
ctgenvvar, and needs modifying only if you need to make a server<br />
compression class available to a protocol handler. This will be the case if you<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 151
152 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
use the EciI1 transactional ECI sample, which uses classes supplied in<br />
ctgsamples.jar. To enable use of EciI1, we set the CTG_CLASSPATH in<br />
ctgenvvar as follows:<br />
CTG_CLASSPATH="${CTGSTART_HOME}/../classes/ctgclient.jar:${CTGSTART_HOME}<br />
/../classes/ctgserver.jar:${CTGSTART_HOME}/../classes/cfwk.zip:<br />
${CTGSTART_HOME}/../classes/ctgsamples.jar"<br />
► CTG_RRMNAME<br />
This is the name that the <strong>CICS</strong> TG registers with Resource Recovery<br />
Services (RRS) for transactional EXCI requests to <strong>CICS</strong>. You will only need to<br />
modify this if using transactional EXCI requests. <strong>The</strong> default RRMNAME is<br />
CCL.CTG.<strong>IBM</strong>.UA. If you choose not to use the default name, you must obey<br />
the naming rules for RRS groups.<br />
<strong>The</strong> name can consist of the following printable characters:<br />
– Alphanumeric characters: A-Z and 0-9<br />
– National characters: $ (X'5B'), # (X'7B'), @ (X'7C')<br />
– <strong>The</strong> period (.)<br />
– <strong>The</strong> underscore (_)<br />
RRM name restrictions include:<br />
– <strong>The</strong> name cannot start with a blank or contain embedded blanks.<br />
– Lowercase characters are converted to uppercase characters.<br />
– To avoid naming conflicts, use A-C or G-I as the first character.<br />
– <strong>The</strong> length of CTG_RRMNAME must not exceed 32 characters and must<br />
end with the characters <strong>IBM</strong>.UA<br />
<strong>Transaction</strong>al EXCI: <strong>Transaction</strong>al EXCI is an application programming<br />
interface (API) that allows the <strong>CICS</strong> server unit of work to be continued over<br />
multiple EXCI calls, until the EXCI client decides to commit or back out the unit<br />
of work. This means that multiple ECI requests from the <strong>CICS</strong> TG for z/OS in<br />
Extend_Mode can be part of the same logical unit of work, and can be<br />
coordinated using a two-phase commit mechanism from the <strong>CICS</strong> TG for<br />
z/OS to the <strong>CICS</strong> server.<br />
<strong>The</strong> EXCI requests can only be transactional if the <strong>CICS</strong> TG started task using<br />
the EXCI and the <strong>CICS</strong> region execute in the same z/OS image.
7.2.2 Defining <strong>CICS</strong> TG configuration parameters<br />
<strong>The</strong>re are several <strong>CICS</strong> TG configuration parameters that can be modified. We<br />
modified these by editing the CTG.INI file. You can use the X-Windows ctgcfg<br />
tool if you have X-Windows.<br />
Note: <strong>The</strong> <strong>CICS</strong> TG Configuration Tool utility ctgcfg is supplied with the <strong>CICS</strong><br />
TG for z/OS and can be used on z/OS. However, you will need to be familiar<br />
with X-Windows and have configured an X client to be able to use this utility. If<br />
you are not familiar with UNIX and X-Windows, you could simply edit the<br />
CTG.INI file in the /usr/lpp/ctg500/ctg/bin directory.<br />
Another method is to enter ctgcfg -PLAT ZOS on a Windows workstation that<br />
has the <strong>CICS</strong> TG installed. This uses the <strong>CICS</strong> TG for Windows configuration<br />
utility to create z/OS configuration files. Once you’ve saved the CTG.INI file,<br />
you simply FTP it to the location in your <strong>CICS</strong>CLI variable.<br />
Changes to any of these parameters requires a stop and restart of the <strong>CICS</strong> TG<br />
before they will take effect. <strong>The</strong> following is a list of the most important<br />
configuration parameters, along with the values we used:<br />
► initconnect=10<br />
This is the initial number of connection manager threads allocated at startup.<br />
Set this to the “normal” number of clients you expect to support.<br />
► initworker=10<br />
This is the initial number of worker threads allocated at startup. Set this to the<br />
initial number of connection manager threads.<br />
► maxconnect=100<br />
This is the maximum number of connection manager threads. This limits the<br />
maximum number of remote Java clients that can connect to the <strong>CICS</strong> TG<br />
through one of the protocol handlers. Set this to the maximum number of<br />
clients you need to support, but also make sure it is greater than or equal to<br />
maxworker.<br />
► maxworker=100<br />
This is the maximum number of worker threads, which limits the maximum<br />
number of parallel ECI request the <strong>CICS</strong> TG can process. It should be:<br />
– Less than or equal to maxconnect<br />
– Less than or equal to the RECEIVECOUNT set in the <strong>CICS</strong> sessions<br />
definition<br />
– Less than or equal to 100, since this is the maximum number of EXCI<br />
pipes that any z/OS address space can allocate<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 153
7.2.3 EXCI pipe usage<br />
154 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► noinput=no<br />
This means the ctgstart script is able to read input if it is started from the<br />
UNIX System Services shell. If ctgstart is run as a started task, this parm has<br />
no effect.<br />
► nonames=on<br />
This controls whether client host names are resolved via the DNS server. This<br />
should be set to on to prevent delays.<br />
► notime=off<br />
This shows the timestamps in the message log. This should be set to off,<br />
since timestamps are very useful in problem determination.<br />
► tfile=/ctg/scsctg5/logs/ctg.trc<br />
This is the location of the trace file. We set it to our <strong>CICS</strong> TG logging directory<br />
we created in 7.2, “Configuration” on page 146.<br />
► workertimeout=1000<br />
This is the time in milliseconds a connection manager thread waits to obtain a<br />
thread from the worker thread pool. This timeout prevents remote Java client<br />
from hanging if all worker threads are in use.<br />
<strong>The</strong> EXCI is used by the <strong>CICS</strong> TG for z/OS to send requests to the <strong>CICS</strong> region<br />
specified in the ECI request. To make an ECI call, the <strong>CICS</strong> TG for z/OS uses the<br />
EXCI CALL interface. <strong>The</strong> EXCI CALL interface provides a low-level API for<br />
calling a <strong>CICS</strong> program using a COMMAREA, and consists of the following six<br />
commands:<br />
1. Initialize_User<br />
2. Allocate_Pipe<br />
3. Open_Pipe<br />
4. DPL_Request<br />
5. Close_Pipe<br />
6. Deallocate_Pipe<br />
<strong>The</strong> <strong>CICS</strong> TG does not perform a Deallocate_Pipe after it performs the initial ECI<br />
request from any given thread. This means that a pipe stays allocated for the<br />
lifetime of the thread and is not deallocated until one of the following occurs:<br />
► An error is received by the <strong>CICS</strong> TG worker thread on an Open_Pipe call<br />
► <strong>The</strong> <strong>CICS</strong> TG worker thread terminates<br />
► <strong>The</strong> <strong>CICS</strong> TG address space terminates<br />
► <strong>The</strong> <strong>CICS</strong> connection is placed out of service or IRC is closed<br />
► <strong>The</strong> <strong>CICS</strong> region terminates
<strong>CICS</strong> TG thread usage<br />
<strong>The</strong> <strong>Gateway</strong> daemon, used to receive network requests from remote Java<br />
clients, is itself a sophisticated multi-threaded Java application. It can handle<br />
multiple requests simultaneously and has a set of properties configured in the<br />
CTG.INI configuration file. Two pools of threads can be configured: the<br />
connection manager threads and the worker threads. For each connected client,<br />
one connection manager thread is used in the <strong>Gateway</strong> daemon, and is held until<br />
the client issues a disconnect using the Java<strong>Gateway</strong>.close() method, or is<br />
otherwise disconnected. In order for an ECI call to be performed via an allocated<br />
connection manager thread, a thread must be allocated from the worker thread<br />
pool for the duration of the ECI request. This relationship is summarized in<br />
Figure 7-6.<br />
Java client<br />
Java<strong>Gateway</strong>.open() Connect<br />
Java<strong>Gateway</strong>.flow()<br />
Java<strong>Gateway</strong>.close()<br />
ECI<br />
Disconnect<br />
Figure 7-6 <strong>CICS</strong> TG threading model<br />
<strong>Gateway</strong> daemon<br />
Connection<br />
Managers<br />
Workers<br />
Thus the connection manager threads limit the maximum number of connected<br />
Java clients, while the worker threads limit the number of concurrent ECI calls<br />
that can be issued by these attached clients. <strong>The</strong> initial and maximum numbers<br />
of these connection manager and worker threads are set in the CTG.INI file using<br />
the maxconnect and maxworker parameters. Requests from connection manager<br />
threads for worker threads can be queued internally, but will be timed out<br />
according to the workertimeout parameter.<br />
Wait<br />
ECI request<br />
ECI reply<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 155
156 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
EXCI pipe limitations<br />
In <strong>CICS</strong> TS V1.3 and later, a single z/OS address space is limited (by the IRC<br />
code) to only being able to allocate up to 100 EXCI pipes in total, to all attached<br />
<strong>CICS</strong> regions. In contrast, maximum pipe usage in a <strong>CICS</strong> region is limited only<br />
by the number of sessions defined in the <strong>CICS</strong> MRO SESSIONS definition,<br />
which can be up to 999.<br />
<strong>The</strong> following rules apply to the use of the EXCI by the <strong>CICS</strong> TG <strong>V5</strong>.0.0, and<br />
apply equally to worker threads within the <strong>Gateway</strong> daemon or to threads within<br />
<strong>WebSphere</strong> Application Server using the <strong>CICS</strong> TG local protocol.<br />
► Each thread that services an ECI request will allocate an EXCI pipe. This pipe<br />
remains allocated until either the thread is terminated, or the <strong>CICS</strong> MRO<br />
connection is closed.<br />
► Such pipes will be re-used by subsequent requests to the same worker<br />
thread, but pipes are not shared across different worker threads.<br />
► If a worker thread connects to multiple <strong>CICS</strong> regions, then multiple EXCI<br />
pipes will be permanently allocated from the specific thread to these <strong>CICS</strong><br />
regions.<br />
If the <strong>CICS</strong> TG tries to allocate more pipes than there are available <strong>CICS</strong><br />
sessions defined, the EXCI Open_Pipe call will fail with a RETRYABLE response,<br />
and a reason code 202. <strong>The</strong> ECI application will receive a return code -16<br />
(ECI_ERR_RESOURCE_SHORTAGE) and the EXCI User replaceable module<br />
(DFHXCURM) will be invoked. In this instance you should consider configuring<br />
the RECEIVECOUNT parameter in the <strong>CICS</strong> SESSIONS definition to be at least<br />
100.<br />
If the number of EXCI pipes in use exceeds 100, the 101st EXCI Allocate_Pipe<br />
call will fail with a SYSTEM_ERROR response, and a reason code 608. <strong>The</strong> ECI<br />
application will receive a return code -9 (ECI_ERR_SYSTEM_ERROR). Since<br />
this means a limitation in the sending address space has been reached, you<br />
should consider reducing the number of threads (that is, maxworker in the<br />
<strong>Gateway</strong> daemon) to be less than or equal to 100/(number of attached <strong>CICS</strong><br />
regions).
Restriction: If your <strong>Gateway</strong> daemon connects directly to multiple <strong>CICS</strong><br />
regions, you will need to consider reducing the maxworker parameter to<br />
100/(number of attached <strong>CICS</strong> regions). This is because in these<br />
circumstances a worker thread may allocate an EXCI pipe to multiple <strong>CICS</strong><br />
regions.<br />
To achieve workload distribution across multiple <strong>CICS</strong> AORs, it is therefore<br />
recommended that you implement a limited number of <strong>CICS</strong> listening regions<br />
(that connect to the <strong>CICS</strong> TG) and that these listening region workload<br />
balance and manage affinities to multiple AORs.<br />
If the number of worker threads in your <strong>Gateway</strong> daemon becomes a limiting<br />
factor to increased throughput, we recommend you workload balance across<br />
cloned <strong>Gateway</strong> daemons, all listening on the same port using MVS TCP/IP port<br />
sharing. Each cloned <strong>Gateway</strong> daemon will be able to utilize up to 100 EXCI<br />
pipes. For further details on cloning <strong>Gateway</strong> daemons, refer to “Running multiple<br />
<strong>Gateway</strong> daemons” on page 168.<br />
For further information on workload balancing using the <strong>CICS</strong> TG, refer to the<br />
redbook Workload Management for Web Access to <strong>CICS</strong>, SG24-6118.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 157
7.3 Testing the configuration<br />
158 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
To test our configuration we used the <strong>CICS</strong> TG sample Java applications, EciB1<br />
and EciI1 from z/OS UNIX System Services and EciI1 from a Windows 2000<br />
workstation. (<strong>The</strong> fourth character in EciI1 is an I as in Intermediate.) Both<br />
applications flow an ECI request to a connected <strong>CICS</strong> region through a <strong>CICS</strong> TG<br />
for z/OS (Figure 7-7). <strong>The</strong> <strong>CICS</strong> TG gateway and port are specified as input<br />
parameters.<br />
Windows NT<br />
ctgsamples.jar<br />
ctgclient.jar<br />
JVM<br />
EciI1<br />
TCP/IP<br />
ECI request<br />
<strong>Gateway</strong><br />
daemon<br />
Figure 7-7 <strong>CICS</strong> TG for z/OS, software configuration<br />
wtsc66oe.itso.ibm.com<br />
z/OS<br />
<strong>CICS</strong> TG<br />
EXCI<br />
via IRC<br />
<strong>The</strong> EciB1 application tests basic communications capability to the <strong>CICS</strong> region.<br />
(<strong>The</strong> “B” stands for “basic”.) <strong>The</strong> output of this application is simply the date and<br />
time as formatted by the <strong>CICS</strong> region.<br />
<strong>The</strong> EciI1 application makes ECI calls in Extend_Mode. This causes the<br />
application to be transactional, allowing two-phase commit.<br />
When called, the EciI1 application prompts the user for the target <strong>CICS</strong> region.<br />
Once that is input, the application starts a transaction, asking if they want to run<br />
again. When the user decides not to run the transaction, the application asks if<br />
the transaction should be committed or rolled back, performs the desired action,<br />
and ends.<br />
EXCI<br />
We verified that our configuration was correctly set up as follows:<br />
JNI<br />
UNIX System Services<br />
JVM<br />
EciB1,<br />
EciI1<br />
ECI request<br />
ctgclient.jar<br />
ctgsamples.jar<br />
<strong>CICS</strong><br />
<strong>CICS</strong><br />
Application<br />
EC01,<br />
EC02
1. We started the <strong>CICS</strong> TG on z/OS as a started task from SDSF using the<br />
command /S SCSCTG5. Having started the job, we noticed this caused several<br />
temporary tasks to be invoked. <strong>The</strong>se tasks were called SCSCTG5n, where n<br />
was a number from 1 to 9. However, once the <strong>CICS</strong> TG had started the<br />
original job SCSCTG5 was left running but paged out, and a child process<br />
SCSCTG55 was left running and paged in. SCSCTG55 is the UNIX Systems<br />
Services JVM process that is executing the <strong>Gateway</strong> daemon. This is shown<br />
in Example 7-9.<br />
To stop the <strong>CICS</strong> TG, we simply use the MVS cancel command against the<br />
original started task: /C SCSCTG5. Eventually, the second task will end as well,<br />
though you can cancel it too.<br />
Example 7-9 <strong>CICS</strong> TG started tasks in SDSF<br />
SDSF DA SC66 SC66 PAG 0 SIO 322 CPU 7/ 6 DATA SET DISPLAYED<br />
COMMAND INPUT ===> SCROLL ===> CSR<br />
NP JOBNAME StepName ProcStep JobID Owner C Pos DP Real Paging SIO<br />
SCSCTG55 *OMVSEX STC11097 CTGUSER IN F7 25T 0.00 0.42<br />
SCSCTG5 SCSCTG5 *OMVSEX STC12191 CTGUSER LO FF 283 0.00 0.00<br />
2. Once the <strong>CICS</strong> TG had started we checked the log file<br />
/ctg/scsctg5/logs/ctg.stdout for the message CCL6524I, indicating the TCP<br />
protocol handler had successfully started (Example 7-10).<br />
Example 7-10 Successful start of <strong>CICS</strong> TG as seen in ctg.stdout<br />
----------------------------------------------------------------<br />
Set up environment variables for Java<br />
----------------------------------------------------------------<br />
PATH reset to /usr/lpp/java/<strong>IBM</strong>/J1.3/bin:/bin:.<br />
JAVA_HOME reset to /usr/lpp/java/<strong>IBM</strong>/J1.3<br />
CTG6111I File 'ctgenvvar' found. Using the configuration in script 'ctgenvvar'<br />
to start up the application.<br />
06/24/02 : 17:51:48:792 : <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, Version 5.0.0, 5724-D12.<br />
Build Level c000-20020621.<br />
06/24/02 : 17:51:48:799 : (C) Copyright <strong>IBM</strong> Corporation 1999, 2002. All rights<br />
06/24/02 : 17:51:48:946 : CCL8400I: Using ini file /ctg/scsctg5/CTG.INI.<br />
06/24/02 : 17:51:48:973 : CCL6577I: Java version is 1.3.1.<br />
06/24/02 : 17:51:49:012 : CCL6502I: Initial ConnectionManagers = 10, Maximum<br />
ConnectionManagers = 90,<br />
06/24/02 : 17:51:49:030 : CCL6502I: Initial Workers = 10, Maximum Workers = 90,<br />
tcp: Port = 2006<br />
06/24/02 : 17:51:49:038 : CCL6574I: Connection logging has been disabled.<br />
06/24/02 : 17:51:50:431 : CCL6505I: Successfully created the initial<br />
ConnectionManager and Worker threads.<br />
06/24/02 : 17:51:53:828 : CCL6524I: Successfully started handler for the tcp:<br />
protocol.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 159
160 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Tip: In <strong>V5</strong> of the <strong>CICS</strong> TG, the standard logging messages no longer get sent<br />
to STDERR. Instead they are written to STDOUT and only trace and error<br />
messages are written to STDERR. In addition, connection logging messages<br />
are disabled by default, but can be enabled using the new parameter<br />
connectionlogging in the CTG.INI configuration file.<br />
3. We checked the state of the TCP/IP sockets on our UNIX System Services<br />
TCP/IP stack using the onetstat command from OMVS. This showed us the<br />
output in Example 7-11 and indicates the <strong>CICS</strong> TG was indeed listening on<br />
port 2006 for TCP requests.<br />
Example 7-11 OMVS onetstat<br />
$ ÝSC66¨ /u/cicsrs2: onetstat<br />
MVS TCP/IP onetstat CS V1R2 TCPIP Name: TCPIPOE 23:02:35<br />
User Id Conn Local Socket Foreign Socket State<br />
------- ---- ------------ -------------- -----<br />
SCSCTG55 0001F5C3 0.0.0.0..2006 0.0.0.0..0 Listen<br />
4. We checked basic IP connectivity from our workstation to z/OS using the ping<br />
command from a Windows 2000 command prompt (Example 7-12).<br />
Example 7-12 Ping to z/OS verifying hosts or DNS setup<br />
C:\>ping wtsc66oe.itso.ibm.com<br />
Pinging wtsc66oe.itso.ibm.com [9.12.6.29] with 32 bytes of data:<br />
Reply from 9.12.6.29: bytes=32 time=120ms TTL=52<br />
Reply from 9.12.6.29: bytes=32 time=110ms TTL=52<br />
Ping statistics for 9.12.6.29:<br />
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />
Approximate round trip times in milli-seconds:<br />
Minimum = 110ms, Maximum = 120ms, Average = 112ms<br />
5. Next we performed our basic test under OMVS. First we used ISHELL to<br />
create /u/cicsrs2/EciB1Test. This will be an executable script file with the<br />
contents shown in Example 7-13.<br />
Example 7-13 OMVS EciB1 test script file<br />
export CLASSPATH=/usr/lpp/ctg500/ctg/classes/ctgsamples.jar<br />
export CLASSPATH=$CLASSPATH:/usr/lpp/ctg500/ctg/classes/ctgclient.jar<br />
echo $CLASSPATH<br />
java com.ibm.ctg.samples.eci.EciB1 tcp://wtsc66oe.itso.ibm.com 2006
Once the file was created, we went into OMVS and marked EciB1Test as<br />
executable with the following command: chmod +x EciB1Test. You can verify<br />
this worked by doing a ls -l and verifying the last character in the first<br />
column is “x”.<br />
– You can see the first parameter after the name of the Java class is the<br />
location of the <strong>Gateway</strong> daemon (tcp://wtsc66oe.itso.ibm.com). Since the<br />
<strong>Gateway</strong> daemon was running on the same host as our Java client we<br />
could also have used the loopback IP address of 127.0.0.1 or “loopback” if<br />
it is defined in the TCP/IP configuration.<br />
– <strong>The</strong> final parameter on the EciB1 line is the TCP/IP port used by the<br />
<strong>Gateway</strong> daemon. This defaults to 2006, but we added it anyway.<br />
With the script marked as executable, we ran it by entering EciB1Test. <strong>The</strong><br />
results of our tests are shown in Example 7-14.<br />
Example 7-14 OMVS EciB1 test output<br />
$ [SC66] /u/cicsrs2: EciB1Test<br />
Usage: java com.ibm.ctg.samples.eci.EciB1 [<strong>Gateway</strong> Url] [<strong>Gateway</strong> Port Number]<br />
<strong>Gateway</strong> tcp://wtsc66oe.itso.ibm.com port:2006<br />
<strong>CICS</strong> Servers Defined:<br />
1. SCSCPJA1 -<br />
2. SCSCPJA2 -<br />
Choose Server to connect to, or q to quit:<br />
1<br />
Program EC01 returned with data:-<br />
Hex: 32342f30362f30322031353a30363a32300<br />
ASCII text: 24/06/02 15:06:20<br />
6. Once we knew the basic <strong>CICS</strong> TG functions were working, we tested the<br />
transaction EXCI functions using the supplied EciI1 sample class. We used<br />
ISHELL to create /u/cicsrs2/EciI1Test. This will be an executable script file<br />
with the contents shown in Example 7-15.<br />
Example 7-15 OMVS test script file<br />
export CLASSPATH=/usr/lpp/ctg500/ctg/classes/ctgsamples.jar<br />
export CLASSPATH=$CLASSPATH:/usr/lpp/ctg500/ctg/classes/ctgclient.jar<br />
echo $CLASSPATH<br />
java com.ibm.ctg.samples.eci.EciI1 tcp://wtsc66oe.itso.ibm.com 2006<br />
Once the file was created, we went into OMVS and marked EciI1Test as<br />
executable with the following command: chmod +x EciI1Test. You can verify<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 161
162 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
this worked by using ls -l and verifying the last character in the first column<br />
is “x”.<br />
Tip: Note to use the EciI1 sample you must make sure the <strong>Gateway</strong><br />
daemon has access to the classes in ctgsamples.jar. To do this you will<br />
need to update the CTG_CLASSPATH environment variable in your<br />
ctgenvvar file. We added the following to the end of the current<br />
CTG_CLASSPATH definition<br />
${CTG_CLASSES}/ctgsamples.jar<br />
Without this class you will receive the error:<br />
java.io.IOException: CCL6668E: Initial handshake flow failed.<br />
[java.io.IOException: CCL6670E: Exception occurred in the <strong>Gateway</strong>.<br />
[java.lang.ClassNotFoundException:com.ibm.ctg.samples.security.ServerComp<br />
ression]]<br />
With the script marked as executable, we ran it by entering EciI1Test. <strong>The</strong><br />
results of our tests are shown in Example 7-16.<br />
Example 7-16 OMVS EciI1 test output<br />
<strong>CICS</strong>RS2 @ SC66:/u/cicsrs2>EciI1Test<br />
Usage: java com.ibm.ctg.samples.eci.EciI1 Ý<strong>Gateway</strong>Url¨ ÝPort¨<br />
<strong>Gateway</strong>: tcp://wtsc66oe.itso.ibm.com:2006/<br />
WTSC66OE.ITSO.<strong>IBM</strong>.COM<strong>Gateway</strong> opened...<br />
Number of systems = 2<br />
-------------------------------------------------<br />
Systems:<br />
1: SCSCPJA1 -<br />
2: SCSCPJA2 -<br />
-------------------------------------------------<br />
Select a server by number or 'Q' quit<br />
1<br />
Chosen server = SCSCPJA1<br />
Waiting for a reply to a request to flow request<br />
*<br />
Reply received<br />
No errors reported<br />
-------------------------------------------------<br />
ASCII:<br />
1st run OF EC02
Hex:<br />
20202020202020203173742072756e204f462045433032202020202020202020202020202020200<br />
0000000000000000000000000000000000000000<br />
-------------------------------------------------<br />
Do you wish to run the program again in this Logical Unit of Work? - (Y/N)<br />
N<br />
C - Commit or R - rollback?<br />
C<br />
Committed logical unit of work on SCSCPJA1<br />
<strong>Gateway</strong> closed<br />
7. When we knew that basic and transactional EXCI was functional on z/OS, we<br />
tested the transactional functions in Windows 2000. We went into Windows<br />
and created a CMD file that contained the statements shown in<br />
Example 7-17. We set up a CMD file to make it easy to alter our classpath<br />
during testing.<br />
You will note the parameters passed to EciI1 includes the desired <strong>Gateway</strong><br />
URL. In this case it is the hostname of our z/OS host. If you do not have DNS<br />
enabled, you could as easily include the TCP/IP address of the z/OS system<br />
or set up the name in your hosts file.<br />
<strong>The</strong> final parameter passed to EciI1 is the TCP/IP port that the <strong>Gateway</strong><br />
daemon on z/OS is listening on. This defaults to 2006, but we specify it here<br />
for clarity.<br />
Example 7-17 Windows test EciI1Test.cmd file<br />
set CLASSPATH=.;C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\samples\java<br />
set CLASSPATH=%CLASSPATH%;C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgclient.jar<br />
java com.ibm.ctg.samples.eci.EciI1 tcp://wtsc66oe.itso.ibm.com 2006<br />
Example 7-18 shows the successful output from our Windows test.<br />
Example 7-18 Windows EciI1 test<br />
C:\EciI1Test.CMD<br />
--------------------------------------------------<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Intermediate ECI Sample<br />
--------------------------------------------------<br />
Usage: java com.ibm.ctg.samples.eci.EciI1 [<strong>Gateway</strong>Url] [Port]<br />
<strong>Gateway</strong>: tcp://wtsc66oe.itso.ibm.com:2006/<br />
WTSC66OE.ITSO.<strong>IBM</strong>.COM<strong>Gateway</strong> opened...<br />
Number of systems = 2<br />
-------------------------------------------------<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 163
164 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Systems:<br />
1: SCSCPJA1 -<br />
2: SCSCPJA2 -<br />
-------------------------------------------------<br />
Select a server by number or 'Q' quit<br />
1<br />
Chosen server = SCSCPJA1<br />
Waiting for a reply to a request to flow request<br />
*<br />
Reply received<br />
No errors reported<br />
-------------------------------------------------<br />
ASCII:<br />
1st run OF EC02<br />
Hex:<br />
20202020202020203173742072756e204f462045433032202020202020202020202020202020200<br />
0000000000000000000000000000000000000000<br />
-------------------------------------------------<br />
Do you wish to run the program again in this Logical Unit of Work? - (Y/N)<br />
N<br />
C - Commit or R - rollback?<br />
C<br />
Committed logical unit of work on SCSCPJA1<br />
<strong>Gateway</strong> closed<br />
7.4 Problem determination<br />
7.4.1 Tips and utilities<br />
In this section, we document information we learned while configuring this<br />
scenario and information on problem determination and tracing.<br />
In this section, you will find useful commands and utilities for debugging<br />
problems with your configuration. You will also find some additional information<br />
about topics discussed in this chapter.<br />
ECI return codes<br />
<strong>The</strong> return codes for ECI calls can be found in the file header file cics_eci.h. This<br />
is not supplied on z/OS but can be found in the directory \ctg\include if using the
<strong>CICS</strong> TG on Windows, UNIX, or OS/2. A summary of some common errors we<br />
encountered is given below.<br />
ECI_ERR_NO_<strong>CICS</strong> -3<br />
We found this error can occur because of one of the following reasons:<br />
► <strong>CICS</strong> is not started.<br />
► Inter-region communication (IRC) has not been started.<br />
► <strong>The</strong> NETNAME in your EXCI connection (if using a specific connection) does<br />
not match the value of your DFHJVPIPE variable referred to on the STDENV<br />
DD card in the <strong>CICS</strong> TG startup JCL.<br />
ECI_ERR_SYSTEM_ERROR -9<br />
This error generally implies that there is a problem with the EXCI. We found this<br />
can be caused because the <strong>CICS</strong> TG user ID can not log on to DFHIRP. This is<br />
controlled by the DFHAPPL. and DFHAPPL. profiles in<br />
the RACF FACILITY class. For further details refer to Chapter 6, “<strong>CICS</strong> TG<br />
security scenarios” on page 99.<br />
An ECI_ERR_SYSTEM_ERROR is also generated if you try to run a<br />
transactional EXCI application (such as EciI1) and do not have a valid<br />
CTG_RRMNAME specified.<br />
An ECI_ERR_SYSTEM_ERROR can also be generated by security attach errors<br />
for the mirror transaction. For further details refer to page 129 in Chapter 6.<br />
An ECI_ERR_SYSTEM_ERROR can also be generated if the number of EXCI<br />
pipes in use exceeds 100. For further details, refer to 7.2.3, “EXCI pipe usage” on<br />
page 154.<br />
ECI_ERR_RESOURCE_SHORTAGE -16<br />
This error can occur if the <strong>CICS</strong> TG tries to allocate more pipes than there are<br />
receive sessions defined in the <strong>CICS</strong> SESSIONS definition. In this circumstance,<br />
you should consider configuring the RECEIVECOUNT parameter in the <strong>CICS</strong><br />
SESSIONS definition to be at least 100.<br />
ECI_ERR_SECURITY_ERROR -27<br />
This error can be caused by several different situations, including the following:<br />
1. Surrogate security checking has failed. Check the MVS system console for<br />
RACF errors. For details on configuring surrogate security with the <strong>CICS</strong> TG<br />
for z/OS, refer to “Surrogate user security” on page 101.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 165
166 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2. <strong>The</strong> <strong>CICS</strong> TG failed to authenticate the user ID and password specified in the<br />
ECI call. If you do not wish to authenticate this user ID and password within<br />
the <strong>CICS</strong> TG, ensure the variable AUTH_USERID_PASSWORD in ctgstart is<br />
commented out (preceded by a # character).<br />
STEPLIB — abend S806<br />
We found that if the STEPLIB was set incorrectly in the shell of the user ID that<br />
ran the <strong>Gateway</strong> daemon, then the <strong>CICS</strong> TG would abend S806 because it was<br />
unable to find the module DFHXCPRX from the STEPLIB library<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI. This was indicated by the message:<br />
CSV003I REQUESTED MODULE DFHXCPRX NOT FOUND<br />
To circumvent this problem, you should ensure the STEPLIB is set correctly in<br />
the ctgenvvar file, using a statement such as:<br />
EXCI_LOADLIB="<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI"<br />
You should also check that the .profile of the user that runs the <strong>CICS</strong> TG does<br />
not set the STEPLIB to point to a different library that may contain conflicting<br />
modules.<br />
z/OS TCP/IP commands<br />
We found the following TCP/IP commands very useful when analyzing network<br />
problems with our <strong>CICS</strong> TG for z/OS:<br />
► HOMETEST<br />
Issue this as a TSO command. If there is a valid TCP/IP address/host name, it<br />
will tell you what it is, along with other configuration information.<br />
► NETSTAT<br />
Issue this command to get information about the TCP/IP sockets that are in<br />
use (TSO and other platforms). <strong>The</strong> UNIX System Services version of this<br />
command can be invoked using the onetstat command.<br />
► NSLOOKUP <br />
Issue this as a TSO command. A valid TCP/IP address will tell you the host<br />
name and vice versa.<br />
► PING<br />
Use this to determine if an address is active and to resolve host names to IP<br />
addresses (see Example 7-19).<br />
Example 7-19 Pinging the z/OS host<br />
tso ping wtsc66oe.itso.ibm.com<br />
EZA0458I Ping CS V1R2: Pinging host WTSC66OE.ITSO.<strong>IBM</strong>.COM (9.12.6.29).
EZA0463I PING: Ping #1 response took 0.254 seconds. Successes so far 1.<br />
Java version<br />
To display the level of Java Development Kit (JDK) installed on your system, use<br />
the java -fullversion command as follows:<br />
>java -fullversion<br />
>java full version "J2RE 1.3.1 <strong>IBM</strong> OS/390 Persistent Reusable VM build<br />
hm131s-20011206"<br />
To find out what JVM is installed on your system, issue the following command to<br />
search for the location of the Java executable:<br />
>type java<br />
>java is /usr/lpp/java/<strong>IBM</strong>/J1.3/bin/java<br />
If this reports that java is not found, then you will need to add the directory for<br />
the Java libraries to your PATH environment variable. This is best added in the<br />
USS /etc/profile so that all users can use Java.<br />
USS SYS1.PARMLIB parameters<br />
<strong>The</strong> BPXPRMxx parameters are used when z/OS UNIX System Services is<br />
initialized. <strong>The</strong> parameters that are currently in effect can be displayed by the<br />
command shown in Example 7-20.<br />
Example 7-20 SYS1.PARMLIB(BPXPARxx)<br />
D OMVS,OPTIONS<br />
BPXO043I 19.34.33 DISPLAY OMVS 240<br />
OMVS 000F ACTIVE OMVS=(2C)<br />
CURRENT UNIX CONFIGURATION SETTINGS:<br />
MAXPROCSYS = 4096 MAXPROCUSER = 32767<br />
MAXFILEPROC = 65535 MAXFILESIZE = NOLIMIT<br />
MAXCPUTIME = 2147483647 MAXUIDS = 200<br />
MAXPTYS = 800<br />
MAXMMAPAREA = 4096 MAXASSIZE = 2147483647<br />
MAXTHREADS = 100000 MAXTHREADTASKS = 32767<br />
MAXCORESIZE = 4194304 MAXSHAREPAGES = 331072<br />
IPCMSGQBYTES = 262144 IPCMSGQMNUM = 10000<br />
IPCMSGNIDS = 20000 IPCSEMNIDS = 20000<br />
IPCSEMNOPS = 32767 IPCSEMNSEMS = 32767<br />
IPCSHMMPAGES = 524287 IPCSHMNIDS = 20000<br />
IPCSHMNSEGS = 1000 IPCSHMSPAGES = 2621440<br />
SUPERUSER = BPXROOT FORKCOPY = COW<br />
STEPLIBLIST = /usr/lpp/IMiner/steplib<br />
USERIDALIASTABLE= /etc/ualiastable<br />
PRIORITYPG VALUES: NONE<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 167
168 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
PRIORITYGOAL VALUES: NONE<br />
MAXQUEUEDSIGS = 100000 SHRLIBRGNSIZE = 67108864<br />
SHRL<strong>IBM</strong>AXPAGES = 3145728 VERSION = Z02RD1<br />
SYSCALL COUNTS = NO TTYGROUP = TTY<br />
SYSPLEX = YES BRLM SERVER = SC49<br />
LIMMSG = SYSTEM AUTOCVT = OFF<br />
RESOLVER PROC = DEFAULT<br />
To make these parameter changes permanent, you must edit the BPXPRMxx<br />
member of your SYS1.PARMLIB library. <strong>The</strong> changes will take effect after the<br />
next IPL. You can also make dynamic changes by using the SETOMVS command.<br />
For example:<br />
SETOMVS MAXPROCUSER=5000<br />
In addition, BPXPRMxx also contains the mount commands for your HFS<br />
structure. To display which HFS directories are mounted (available), you can use<br />
the MVS D OMVS, F command as shown in Example 7-21.<br />
Example 7-21 Partial listing of filesets mounted to UNIX System Services<br />
D OMVS,F<br />
BPXO045I 16.49.04 DISPLAY OMVS 526<br />
OMVS 000F ACTIVE OMVS=(2C)<br />
TYPENAME DEVICE ----------STATUS----------- MODE<br />
NFS 23178 UNOWNED READ<br />
NAME=CDROM<br />
PATH=/SC42/cdrom<br />
MOUNT PARM=erprisc2:/cdrom,XLAT(Y),VERS(2)<br />
OWNER= AUTOMOVE=N CLIENT=Y<br />
HFS 25058 ACTIVE RDWR<br />
NAME=CTGUSER.SCSCTG5.HFS<br />
PATH=/ctg/scsctg5<br />
OWNER=SC66 AUTOMOVE=Y CLIENT=N<br />
HFS 25058 ACTIVE RDWR<br />
NAME=CTGUSER.CTG500.HFS<br />
PATH=/usr/lpp/ctg500<br />
OWNER=SC66 AUTOMOVE=Y CLIENT=N<br />
For more information on these settings, refer to UNIX System Services Planning,<br />
SC28-1890.<br />
Running multiple <strong>Gateway</strong> daemons<br />
Once you have <strong>CICS</strong> TG running, you may find it necessary to start a second<br />
<strong>Gateway</strong> daemon. <strong>The</strong>re can be many reasons for this:<br />
► You need test and production <strong>CICS</strong> TG regions
► You are upgrading to a new version<br />
► You need more than 100 simultaneous pipes to <strong>CICS</strong> regions<br />
► You need to workload manage incoming EXCI requests<br />
<strong>The</strong> following areas need to be considered when cloning a <strong>CICS</strong> TG started task:<br />
► Set RACF permissions on the <strong>CICS</strong> TG started task<br />
► Clone started task JCL<br />
► Create a new logging directory in UNIX System Services<br />
► Create a new CONNECTION definition in <strong>CICS</strong><br />
► Create new STDENV member<br />
– Change the default <strong>CICS</strong> TG and TCP/IP ports<br />
– Change pipe name, if necessary<br />
– Change the location of the CTG.INI if necessary<br />
– Change the <strong>CICS</strong> TG starting location if necessary<br />
– Change the RRMNAME if necessary<br />
We detail each step in this process. However, we assume you have previously<br />
performed these tasks to set up the gateway. We do not go into as much detail as<br />
we have in previous sections.<br />
1. RACF permissions on the <strong>CICS</strong> TG started task<br />
If you have set up RACF definitions based on your <strong>CICS</strong> TG started task<br />
name, you will need to issue these commands again with your new <strong>CICS</strong> TG<br />
started task name. This could include creating a new user default user ID for<br />
your <strong>CICS</strong> TG started task.<br />
If you allow MRO link access on the <strong>CICS</strong> TG started task user ID, you will<br />
have to update this as well.<br />
2. Clone started task JCL in your proclib<br />
This involves creating a new started task and pointing it to a new STDENV<br />
file. You will also want to point your STDOUT and STDERR to different<br />
locations.<br />
3. Create a new logging directory in UNIX System Services<br />
<strong>The</strong> default is to send logs and traces to the same directory as the <strong>CICS</strong> TG<br />
executables. We found that turning traces on could consume a great deal of<br />
space.<br />
In our <strong>CICS</strong> TG JCL, we point our traces to a different directory, which is more<br />
of a good administration practice than a requirement. We mounted a different<br />
HFS data set as this directory, so our logging directory could fill up without<br />
causing problems for the <strong>CICS</strong> TG.<br />
4. New connection on <strong>CICS</strong><br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 169
7.4.2 Tracing<br />
170 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
While it is possible to share a pipe, it’s best to set up a new connection within<br />
<strong>CICS</strong>. We found it helpful in problem diagnosis to set up a different pipe as<br />
well as a different terminal prefix. Any transactions coming in via the new pipe<br />
are assigned the new terminal ID.<br />
5. Create a new STDENV member<br />
a. Change the default <strong>CICS</strong> TG and TCP/IP ports<br />
Depending on your implementation, you might want to change the default<br />
ports. If you do this, be sure to also change the applications connecting to<br />
the new <strong>CICS</strong> TG.<br />
If you are cloning your <strong>CICS</strong> TG to support workload balancing, you may<br />
want to keep the same ports and use the SHAREPORT parameter of<br />
TCP/IP.<br />
b. Change pipe name, if necessary<br />
Changing the pipe name when cloning a <strong>CICS</strong> TG may be a good idea,<br />
because it can help with diagnostics. Doing this will also require a new<br />
<strong>CICS</strong> CONNECTION definition and changes to the RACF profiles that<br />
control MRO link security.<br />
c. Change the location of the CTG.INI if necessary<br />
We used the <strong>CICS</strong>CLI variable to set the location of our CTG.INI to our<br />
own /ctg/scsctg4 HFS directory. If you run multiple <strong>Gateway</strong> daemons, we<br />
suggest you set up a new CTG.INI file for each <strong>Gateway</strong>, unless you wish<br />
to clone address spaces when using TCP/IP port sharing.<br />
d. Change the <strong>CICS</strong> TG starting location if necessary<br />
If cloning the same release and maintenance level, you do not have to<br />
update the stating location of the <strong>CICS</strong> TG in the <strong>CICS</strong> TG JCL. However,<br />
if you are testing new maintenance or a different release, you will have to<br />
change the starting locations using the environment variable<br />
CTGSTART_HOME. For details on how we set our environment variables,<br />
refer to 7.2.1, “Defining <strong>CICS</strong> TG environmental variables” on page 148.<br />
You may make references to the starting location in your ctgenvvar and<br />
STDENV DD members, so you should check these as well.<br />
e. Change the CTG_RRMNAME if necessary<br />
If using RRS, you will need to set up a unique CTG_RRMNAME for each<br />
<strong>CICS</strong> TG address space.<br />
To demonstrate the types of traces available, we show you how to diagnose an<br />
error using EXCI, <strong>CICS</strong> TG and JNI traces. We created an error by specifying an
incorrect CTG_RRMNAME (CCL.<strong>IBM</strong>.CTG5.XX) as the <strong>CICS</strong> TG environment<br />
variable. This caused an ECI_ERR_SYSTEM_ERROR (-9) return code on the<br />
ECI call.<br />
Tip: <strong>The</strong> error in our CTG_RRMNAME variable was that it did not end in UA.<br />
For further details on using transactional EXCI and defining the<br />
CTG_RRMNAME, refer to 7.2.1, “Defining <strong>CICS</strong> TG environmental variables”<br />
on page 148.<br />
EXCI trace<br />
<strong>The</strong> first trace we illustrate is an EXCI trace of the <strong>Gateway</strong> daemon started task<br />
on z/OS. This trace is more complicated to set up than the other traces, but has<br />
the advantage that the trace table is stored in the <strong>Gateway</strong> region address space,<br />
and so can be analyzed after the error (providing the trace is still in the buffer).<br />
<strong>The</strong> process for getting an EXCI trace is outlined in the manual z/OS <strong>Gateway</strong><br />
Administration, SC34-5935, and is repeated here for clarity.<br />
1. Use the following command to display all OMVS tasks:<br />
/D OMVS,A=ALL<br />
2. Find the <strong>Gateway</strong> address space, and note the address space ID (ASID).<br />
Tip: By default the <strong>Gateway</strong> started task uses two address spaces, one for the<br />
UNIX System Services shell running the ctgstart script and one for the<br />
address space running the JVM for the <strong>Gateway</strong> daemon. In our configuration,<br />
the ctgstart address space was called SCSCTG5 and the JVM address space<br />
was called SCSCTG55. We dumped the JVM address space SCSCTG55,<br />
because this is the address space that performs EXCI calls.<br />
3. Enter the DUMP command with a suitable comment. For example:<br />
/DUMP COMM=(JGATE DUMP RRS)<br />
4. Reply to the message with the ASID as follows:<br />
/R 495,ASID=401,END<br />
where 495 is the message number for the reply, and 401 is the ASID.<br />
5. <strong>The</strong> system will dump as shown in Example 7-22. Note the dump name<br />
created. In our example, the dump name was<br />
DUMP.D0529.H17.SC66.#MASTER#.S00072.<br />
Example 7-22 Dumping the <strong>Gateway</strong> address space in SDSF<br />
R 495,ASID=401,END<br />
IEE600I REPLY TO 495 IS;ASID=401,END<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 171
172 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
DUMPID=022 REQUESTED BY JOB (*MASTER*)<br />
DUMP TITLE=JGATE DUMP RRS<br />
$HASP100 BPXAS ON STCINRDR<br />
$HASP373 BPXAS STARTED<br />
IEF403I BPXAS - STARTED - TIME=13.26.12 - ASID=008A - SC61<br />
IEF196I IGD101I SMS ALLOCATED TO DDNAME (SYS00076)<br />
IEF196I DSN (DUMP.D0529.H17.SC66.#MASTER#.S00072 )<br />
IEF196I STORCLAS (SCDUMP) MGMTCLAS (STANDARD) DATACLAS (<br />
IEF196I )<br />
IEF196I VOL SER NOS= DUMPS2<br />
6. Go into IPCS and select option 0. Enter the dump name as shown in<br />
Figure 7-8 on page 172.<br />
----------------------- IPCS Default Values ---------------- LOCAL updated<br />
Command ===><br />
You may change any of the defaults listed below. <strong>The</strong> defaults shown before<br />
any changes are LOCAL. Change scope to GLOBAL to display global defaults.<br />
Scope ==> LOCAL (LOCAL, GLOBAL, or BOTH)<br />
If you change the Source default, IPCS will display the current default<br />
Address Space for the new source and will ignore any data entered in<br />
the Address Space field.<br />
Source ==> DSNAME('DUMP.D0529.H17.SC66.#MASTER#.S00072')<br />
Address Space ==><br />
Message Routing ==> NOPRINT TERMINAL<br />
Message Control ==> CONFIRM VERIFY FLAG(WARNING)<br />
Display Content ==> MACHINE REMARK REQUEST STORAGE SYMBOL<br />
Press ENTER to update defaults.<br />
Figure 7-8 Defining the dump to IPCS<br />
7. Format the dump using the <strong>CICS</strong> TS V2.2 trace formatter by going to option 6<br />
within IPCS and entering VERBX DFHPD620 ‘TR=1’ (the last parameter<br />
requests an abbreviated trace). Pressing Enter on this screen formats the<br />
dump. IPCS asks whether you want to use summary dump data. Reply Y as<br />
shown in Figure 7-9.
Figure 7-9 Formatting the <strong>Gateway</strong> dump in IPCS<br />
8. On the resulting IPCS formatted dump output, you now need to find the EXCI<br />
trace table. To do this, enter the command FIND ‘TRACE TABLE’.<br />
Example 7-23 show the output from our job. Note the ECI_PARAMETERS_OUTPUT<br />
line. <strong>The</strong> return code of -9 equates to an ECI_ERR_SYSTEM_ERROR, which<br />
is a generic code for many types of EXCI failures.<br />
Example 7-23 IPCS dump trace table<br />
INTERNAL TRACE TABLE<br />
IKJ56650I TIME-01:29:19 PM. SERVICE-2194025 SESSION-01:28:36 MAY 29,2002<br />
BLS18122I Init in progress for DSNAME('DUMP.D0529.H17.SC66.#MASTER#.S00072')<br />
BLS18124I TITLE=JGATE DUMP RRS<br />
BLS18223I Dump written by z/OS 01.02.00 SVC dump - level same as IPCS level<br />
BLS18222I z/Architecture mode system<br />
BLS18160D May summary dump data be used by dump access?<br />
Enter Y to use, N to bypass.<br />
Y<br />
BLS18123I 43,332 blocks, 180,261,120 bytes, in<br />
DSNAME('DUMP.D0529.H17.SC66.#MASTER#.S00072')<br />
IKJ56650I TIME-01:29:44 PM. CPU-00:00:05 SERVICE-2393143 SESSION-01:29:00 MAY<br />
Dump of z/OS 01.02.00 - level same as IPCS level<br />
***<br />
XCI EXCI EX 1001 XCPRH EXIT INITIALIZE_USER OK,OK<br />
XCI EXCI EX 8000 JVDLL ENTRY ECI_PARAMETERS_PASSED Worker-0,1<br />
XCI EXCI EX 8003 JVDLL DATA CONVERTED_PARAMETER Worker-0,jstrServer,SCSCPJA1<br />
XCI EXCI EX 8003 JVDLL DATA CONVERTED_PARAMETER Worker-0,jstrProgram,EC02<br />
XCI EXCI EX 8004 JVDLL DATA INBOUND_COMMAREA Worker-0,80,11517C78<br />
XCI EXCI EX 8030 ????? ????? **_POINT_ID_NOT_RECOGNISED_**<br />
XCI EXCI EX 8007 JVDLL EXIT ECI_PARAMETERS_OUTPUT Worker-0,1,-9<br />
XCI EXCI EX 03ED ????? ????? **_POINT_ID_NOT_RECOGNIZED_**<br />
XCI EXCI EX 8000 JVDLL ENTRY ECI_PARAMETERS_PASSED Worker-0,1<br />
However, at this stage the EXCI trace doesn’t give us enough information to<br />
solve the error, so we continue on to the <strong>Gateway</strong> daemon trace.<br />
Tip: You can also use the MVS generalize trace facility (GTF) to analyze both<br />
<strong>CICS</strong> and EXCI traces. However, this tracing is better suited to in-depth error<br />
analysis, since it requires the GTF proc to be started and initialized in order to<br />
collect the data. It does, however, provide the very useful feature of being able<br />
to interleave both EXCI and <strong>CICS</strong> trace entries. For further details on how we<br />
used GTF tracing, refer to “GTF tracing” on page 179.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 173
174 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>Gateway</strong> daemon trace<br />
<strong>The</strong> <strong>Gateway</strong> daemon trace shows calls that the <strong>CICS</strong> TG sends and receives.<br />
<strong>The</strong>re are two ways of starting the <strong>Gateway</strong> daemon trace, dynamic and static.<br />
Dynamic tracing requires the new TCPAdmin protocol handler be set up in the<br />
CTG.INI file. <strong>The</strong> static trace depends on parameters specified in the <strong>CICS</strong> TG<br />
startup JCL and requires the <strong>CICS</strong> TG address space to be recycled.<br />
Dynamic trace (gateway)<br />
Here we assume the TCPAdmin protocol handler has been activated in the<br />
CTG.INI file. This allows an administrator to activate and de-activate trace on a<br />
running <strong>Gateway</strong> using the supplied ctgadmin.jar file. To activate the TCPAdmin<br />
protocol handler, we added the following lines to our CTG.INI file:<br />
protocol@admin.handler=com.ibm.ctg.server.RestrictedTCPHandler<br />
protocol@admin.parameters=port=2810;\<br />
sotimeout=1000;\<br />
connecttimeout=2000;\<br />
idletimeout=600000;\<br />
pingfrequency=60000;\<br />
maxconn=5;<br />
1. From within TSO OMVS, we changed our directory to<br />
/usr/lpp/ctg500/ctg/classes/. We entered the command to query the current<br />
state of the trace:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810 -a=qtrace<br />
Example 7-24 shows the result of this command. <strong>The</strong> tlevel in the <strong>Gateway</strong><br />
trace settings is 0, indicating tracing is off.<br />
Example 7-24 <strong>CICS</strong> TG for z/OS TCPAdmin query command<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>Gateway</strong> trace settings:<br />
tlevel=0<br />
truncationsize=80<br />
dumpoffset=0<br />
tfile=/ctg/scsctg5/logs/ctg.trace<br />
tfilesize=0<br />
JNI trace settings:<br />
tlevel=0<br />
tfile=/ctg/scsctg5/logs/jni.trace<br />
<strong>The</strong> command completed successfully<br />
2. To turn trace on, we enter:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810<br />
-a=setgwtrace -tlevel=4
We see the output:<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>The</strong> command completed successfully<br />
3. To verify our command worked, we enter the query command again:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810 -a=qtrace<br />
Example 7-25 <strong>CICS</strong> TG for z/OS TCPAdmin query command<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>Gateway</strong> trace settings:<br />
tlevel=4<br />
truncationsize=80<br />
dumpoffset=0<br />
tfile=/ctg/scsctg5/logs/ctg.trace<br />
tfilesize=0<br />
JNI trace settings:<br />
tlevel=0<br />
tfile=/ctg/scsctg5/logs/jni.trace<br />
<strong>The</strong> command completed successfully<br />
Static trace (gateway)<br />
1. On your <strong>CICS</strong> TG JCL you first need to modify the start procedure to specify<br />
the use of tracing and a trace file. In our example, the <strong>CICS</strong> TG runs as a<br />
started task. <strong>The</strong> command is similar but is specified as a JCL PARM as<br />
shown below:<br />
//GATE<strong>V5</strong>00 EXEC PGM=BPXBATCH,REGION=0M,<br />
// PARM='SH /usr/lpp/ctg500/ctg/bin/ctgstart -noinput -x<br />
// -tfile=/ctg/scsctg5/logs/ctg.trace'<br />
2. After the <strong>CICS</strong> TG task is stopped and started, the sample is attempted again<br />
and the resulting trace output file is viewed. In Example 7-26 we see the <strong>CICS</strong><br />
TG makes a call to the JNI. <strong>The</strong> Before JNI line shows the specifics of the<br />
call, while the After JNI line shows the return code (-9) resulting from the JNI<br />
call.<br />
<strong>The</strong> last line shows that the <strong>CICS</strong> TG takes the response from the JNI, and<br />
formats the ECI_ERR_SYSTEM_ERROR message to send to the <strong>CICS</strong> TG.<br />
Example 7-26 <strong>CICS</strong> TG trace table<br />
13:40:50:880 : ConnectionManager-0: S-C: CCL6602I: <strong>Gateway</strong>Request type = ECI, flow version =<br />
4194304, flow type = 1, <strong>Gateway</strong> return code = 0, length of data following the header = 41.<br />
13:40:50:950 : ConnectionManager-0: S-C: CCL6513I: About to receive remainder of a request.<br />
Ýcom.ibm.ctg.server.ServerECIRequest¨<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 175
13:40:51:040 : ConnectionManager-0: S-C: CCL6727I: ECIRequest: Commarea_Length = 80.<br />
13:40:51:063 : ConnectionManager-0: S-C: CCL6720I: ECIRequest: Call_Type = ECI_ASYNC, Server =<br />
SCSCPJA1, Program = EC02, Transid = , Extend_Mode = ECI_EXTENDED, Luw_Token = 0,<br />
Message_Qualifier = 0, Callbackable = true.<br />
13:40:51:069 : ConnectionManager-0: S-C: CCL6727I: ECIRequest: Commarea_Length = 80.<br />
13:40:51:151 : ConnectionManager-0: S-C: CCL6512I: Waiting to receive a request.<br />
ÝConnectionManager-0¨<br />
13:40:51:166 : Worker-0: S-C: CCL6514I: Accepting work request. ÝWorker-0¨<br />
ÝConnectionManager-0¨<br />
13:40:51:389 : Worker-0: .TCPHandler:CCL6603I: # Dump: 32/32 bytes : Offset = 0 Reply flow<br />
13:40:51:410 : Worker-0: S-C: CCL6523I: About to execute work request. ÝWorker-0¨<br />
13:40:51:428 : Worker-0: S-C: CCL6695I: Before JNI CcicsECI(1) : Server=SCSCPJA1, Program=EC02,<br />
Commarea.Length=80, ExtendMode=1, LUW=0.<br />
13:40:51:514 : Worker-0: S-C: CCL6693I: After JNI CcicsECI(1) : Rc=-9, LUW/TermIndex=0<br />
13:40:51:581 : Worker-0: S-C: CCL6721I: ECIRequest: Call_Type = ECI_ASYNC, Cics_Rc =<br />
ECI_ERR_SYSTEM_ERROR, Abend_Code = , Luw_Token = 0, Message_Qualifier = 0.<br />
176 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
This trace tells us the <strong>CICS</strong> TG is working normally but we need to look further<br />
into the JNI. <strong>The</strong> next step is to the trace the <strong>CICS</strong> TG JNI module (libCTGJNI) to<br />
determine what is causing the bad return code from the JNI call.<br />
JNI trace<br />
<strong>The</strong> third type of trace is the <strong>CICS</strong> TG Java Native Interface (JNI) trace. Like the<br />
<strong>CICS</strong> TG trace, there are two ways of starting the JNI trace, dynamic and static.<br />
Dynamic JNI tracing is new in <strong>CICS</strong> TG for z/OS <strong>V5</strong>.0 and requires the<br />
TCPAdmin be set up in the CTG.INI. We demonstrate dynamic tracing, but used<br />
static tracing for our problem diagnosis.<br />
<strong>The</strong> static trace depends on parameters specified in the <strong>CICS</strong> TG startup JCL<br />
and requires the <strong>CICS</strong> TG address space to be recycled.<br />
New in <strong>CICS</strong> TG for z/OS <strong>V5</strong>.0 is the default logging of EXCI return codes. <strong>The</strong>se<br />
are written to unique files in the directory $HOME/ibm/ctgjnilog.* and are very<br />
useful for quick problem determination.<br />
Dynamic trace (JNI)<br />
Here we assume the TCPAdmin client has been specified in the CTG.INI file.<br />
1. From within TSO OMVS, we changed our directory to<br />
/usr/lpp/ctg500/ctg/classes/. We entered the command to query the current<br />
state of the trace:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810 -a=qtrace<br />
Example 7-27 shows the result of this command. <strong>The</strong> tlevel in the JNI trace<br />
settings is 0, indicating tracing is off.
Example 7-27 <strong>CICS</strong> TG for z/OS TCPAdmin query command<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>Gateway</strong> trace settings:<br />
tlevel=4<br />
truncationsize=80<br />
dumpoffset=0<br />
tfile=/ctg/scsctg5/logs/ctg.trace<br />
tfilesize=0<br />
JNI trace settings:<br />
tlevel=0<br />
tfile=/ctg/scsctg5/logs/jni.trace<br />
<strong>The</strong> command completed successfully<br />
2. To turn trace on, we entered:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810<br />
-a=setjnitrace -tlevel=1<br />
We saw the output:<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>The</strong> command completed successfully<br />
3. To verify our command worked, we entered the query command again:<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810 -a=qtrace<br />
Example 7-28 <strong>CICS</strong> TG for z/OS TCPAdmin query command<br />
CTGCtrl - CTG Control Program, version 5.0.0<br />
(C) Copyright <strong>IBM</strong> Corporation 2002. All rights reserved<br />
<strong>Gateway</strong> trace settings:<br />
tlevel=4<br />
truncationsize=80<br />
dumpoffset=0<br />
tfile=/ctg/scsctg5/logs/ctg.trace<br />
tfilesize=0<br />
JNI trace settings:<br />
tlevel=1<br />
tfile=/ctg/scsctg5/logs/jni.trace<br />
<strong>The</strong> command completed successfully<br />
Static trace (JNI)<br />
This is activated using the CTG_JNI_TRACE environment variable, which can be<br />
set in your ctgstart script, in the ctgenvvar file, or in the STDENV DD in the <strong>CICS</strong><br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 177
178 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
TG started task. We chose the STDENV method and added the following<br />
parameter to the PDS member referenced on our STDENV DD statement:<br />
CTG_JNI_TRACE=/ctg/scsctg5/logs/jni.trace<br />
This caused the JNI trace to be written out to the HFS file specified. <strong>The</strong> JNI<br />
trace includes information about the ECI requests and the EXCI flows the <strong>CICS</strong><br />
TG creates. Example 7-29 shows the output of the JNI trace.<br />
Example 7-29 <strong>CICS</strong> TG trace table<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> JNI Trace file for z/OS Version 5.0 Service Level 00 , Build Level<br />
c000-20020621<br />
04:30:50.745 CM-0 ¨ : CCL6806I: CcicsInit: Register with RRS. Return code = 768.<br />
04:30:53.172 Worker-0 ¨ : CCL6800I: CcicsECI: ECI parameters on entry. Call_Type = 1,<br />
Extend_Mode = 1, Luw_Token = 0, Commarea_Length = 80, Cics_Rc = 0, Flags = 0.<br />
04:30:53.190 Worker-0 ¨ : CCL6801I: CcicsECI: Performed parameter conversion. parameter<br />
name = jstrServer, parameter value = SCSCPJA1.<br />
04:30:53.206 Worker-0 ¨ : CCL6801I: CcicsECI: Performed parameter conversion. parameter<br />
name = jstrProgram, parameter value = EC02 .<br />
04:30:53.219 Worker-0 ¨ : CCL6802I: CcicsECI: Input commarea information. commarea length =<br />
80, commarea address = 11517c78.<br />
04:30:53.234 Worker-0 ¨ : CCL6818E: CcicsECI: Begin Context failed. RRM Return code = 1878.<br />
04:30:53.248 Worker-0 ¨ : CCL6805I: CcicsECI: ECI parameters on exit. Call_Type = 1,<br />
Extend_Mode = 1, Luw_Token = 0, Commarea_Length = 80, Cics_Rc = -9, AV = 0.<br />
We begin reading our trace from the bottom up. <strong>The</strong> last line shows the output<br />
we pass back to the <strong>CICS</strong> TG. <strong>The</strong> next line up shows we received a return code<br />
1878 from RRS.<br />
In looking at the MVS Programming: Resource Recovery, GC28-1739, we see<br />
that error codes must be converted from decimal to hexadecimal. Decimal 1878<br />
is hex 756, which translates to CRG_AUTH_FAILURE. <strong>The</strong> text of a 756 error<br />
tells us the program encountered an error registering with the resource manager.<br />
At this point, we should start to suspect RRS and thus the setting of the <strong>CICS</strong> TG<br />
CTG_RRMNAME variable.<br />
A further confirmation of this lies in the second line from the top. This shows the<br />
<strong>CICS</strong> TG trying to register its RRMNAME with RRS. It receives a 768 return<br />
code, which is a hex 300. <strong>The</strong> MVS Programming: Resource Recovery,<br />
GC28-1739 shows the 300 error to be a CRG_RM_NAME_INV and the help text<br />
of the message details that the resource manager name specified in the call is<br />
incorrect.<br />
Knowing this information, we changed the CTG_RRMNAME to a valid name<br />
(CCL.CTG.<strong>IBM</strong>.UA), restarted the <strong>CICS</strong> TG, and the example started working.
Tip: In <strong>CICS</strong> TG for z/OS <strong>V5</strong>.0 the EXCI JNI logs can also now be quickly and<br />
easily used to identify the majority of EXCI problems. <strong>The</strong> logs are written to<br />
unique files in the directory $HOME/ibm/ctgjnilog.<br />
EXCI subreasons<br />
Finally, we created an error to illustrate the use of EXCI subreasons. <strong>The</strong>se<br />
subreasons are helpful in that they provide another facet of problem diagnosis.<br />
This time we forced an error by closing IRC on the <strong>CICS</strong> region. <strong>The</strong> EXCI and<br />
<strong>Gateway</strong> traces simply provide a generic EXCI 203 (ECI_ERR_NO_<strong>CICS</strong>) error.<br />
<strong>The</strong> 203 error also shows up on the JNI trace, so we skip the EXCI and <strong>Gateway</strong><br />
traces.<br />
We ran our test application and Example 7-30 shows the significant line from the<br />
JNI trace.<br />
Example 7-30 JNI trace table, EXCI subreasons<br />
01:05:11.721 Worker-0 ¨ : CCL6822E: CcicsECI: EXCI function error. Function<br />
Call = 3, Response = 8, Reason = 203, Subreason field-1 = 92,<br />
subreason field-2 = 0, Cics_Rc = -3<br />
We see the 203 error that we would have seen on the EXCI trace table and the<br />
<strong>Gateway</strong> trace. In addition, we see a Subreason field-1 of 92.<br />
To find out the meaning of a subreason 92, we need to look in<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHMAC(DFHIRSDS). After converting decimal 92 to a hex<br />
5C, we see this equates to “SYSTEM NOT LOGGED ON”.<br />
This is more specific than the general NO_<strong>CICS</strong> error and led us to check to see<br />
the state of IRC on our target <strong>CICS</strong> region. Of course we knew this, since we<br />
deliberately closed it in the first place.<br />
GTF tracing<br />
Both the EXCI and <strong>CICS</strong> itself support trace entries to be written to GTF. In the<br />
following example, we give a brief explanation of how we debugged a simple<br />
problem with the <strong>CICS</strong> TG for z/OS using GTF tracing. In this error scenario, the<br />
call using EciB1 failed with ECI_ERR_TRANSACTION_ABEND (-7) and AEI0,<br />
due to the disabling of the invoked program, EC01 within <strong>CICS</strong>.<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 179
180 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: <strong>The</strong> principal advantage of GTF tracing is that the EXCI and <strong>CICS</strong> trace<br />
entries can be combined in the same output, which can help considerably in<br />
problem determination. However, the <strong>Gateway</strong> daemon and JNI trace cannot<br />
be written to GTF and must be analyzed separately.<br />
► To start with, you must enable both EXCI and <strong>CICS</strong> trace entries to be written<br />
to GTF. <strong>The</strong> DFHXCOPT table is used to control EXCI tracing and to activate<br />
an EXCI trace. You need to specify TRACE=2, and GTF=ON in the<br />
DFHXCOPT table, as shown in Example 7-31.<br />
Example 7-31 EXCI options table, DFHXCOPT<br />
DFHXCO TYPE=CSECT,<br />
TIMEOUT=0, No timeout<br />
TRACE=2, Trace entries<br />
TRACESZE=1024, Trace table<br />
DURETRY=30, Retry SDUMPS for 30 seconds<br />
TRAP=OFF, DFHXCTRA - OFF<br />
GTF=ON, GTF - ON<br />
MSGCASE=MIXED, Mixed case messages<br />
<strong>CICS</strong>SVC=0, EXCI will obtain <strong>CICS</strong> SVC number<br />
CONFDATA=SHOW, Show user commarea data in trace<br />
SURROGCHK=YES Perform surrogate-user check @P1C<br />
END DFHXCOPT<br />
► GTF tracing from <strong>CICS</strong> can be activated using the CETR transaction as<br />
shown in Figure 7-10, by setting the GTF Trace Status to STARTED. We also<br />
reduced the <strong>CICS</strong> trace entries to IS=1-2 and PC=1 to capture only MRO and<br />
program control trace entries. This can be achieved using PF4 on the CETR<br />
screen.
CETR <strong>CICS</strong> Trace Control Facility PJA1 SCSCPJA1<br />
Type in your choices.<br />
Item Choice Possible choices<br />
Internal Trace Status ===> STARTED STArted, STOpped<br />
Internal Trace Table Size ===> 64 K 16K - 1048576K<br />
Auxiliary Trace Status ===> STOPPED STArted, STOpped, Paused<br />
Auxiliary Trace Dataset ===> A A, B<br />
Auxiliary Switch Status ===> NEXT NO, NExt, All<br />
GTF Trace Status ===> STARTED STArted, STOpped<br />
Master System Trace Flag ===> ON ON, OFf<br />
Master User Trace Flag ===> ON ON, OFf<br />
When finished, press ENTER.<br />
PF1=Help 3=Quit 4=Components 5=Ter/Trn 9=Error List<br />
Figure 7-10 <strong>CICS</strong> CETR transaction<br />
► To activate GTF, you will need to start your GTF started task. <strong>The</strong> JCL for our<br />
started task is shown in Example 7-32.<br />
Example 7-32 GTF proc<br />
//GTFNEW PROC MEMBER=GTFPARM<br />
//IEFPROC EXEC PGM=AHLGTF,PARM='MODE=EXT,DEBUG=NO,TIME=YES',<br />
// TIME=1440,REGION=2880K<br />
//IEFRDER DD DSNAME=SYS1.TRACE, UNIT=SYSDA,SPACE=(CYL,100),<br />
// DISP=SHR<br />
//SYSLIB DD DSNAME=SYS1.PARMLIB(&MEMBER),DISP=SHR<br />
► <strong>The</strong> SYS1.PARMLIB(GTF) member referenced in Example 7-32 on page 181<br />
defines the following options for GTF:<br />
TRACE=USRP<br />
USR=F6C<br />
END<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 181
182 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► Once GTF has initialized, you will need to reply U to the initialization message<br />
as shown in Example 7-33.<br />
Example 7-33 Reply to GTF commands<br />
17.40.18 STC08965 *002 AHL125A RESPECIFY TRACE OPTIONS OR REPLY U<br />
17.40.30 STC08965 R 002,U<br />
17.40.30 STC08965 U<br />
17.40.30 STC08965 AHL906I THE OUTPUT BLOCK SIZE OF 4096 WILL BE USED FOR<br />
OUTPUT 111<br />
111 DATA SETS:<br />
111 WAKELIN.TRACE<br />
17.40.30 STC08965 AHL080I GTF STORAGE USED FOR GTF DATA: 112<br />
112 GTFBLOCK STORAGE 40K BYTES (BLOK= 40K)<br />
112 PRIVATE STORAGE 1024K BYTES<br />
112 SADMP HISTORY 40K BYTES (SADMP= 40K)<br />
112 SDUMP HISTORY 40K BYTES (SDUMP= 40K)<br />
112 ABEND DUMP DATA 0K BYTES (ABDUMP= 0K)<br />
17.40.30 STC08965 AHL031I GTF INITIALIZATION COMPLETE<br />
17.40.57 STC08965 AHL006I GTF ACKNOWLEDGES STOP COMMAND<br />
► GTF tracing is now active and trace entries from the <strong>CICS</strong> TG and the <strong>CICS</strong><br />
region will be captured by GTF.<br />
► Once the trace is complete you should terminate the <strong>CICS</strong> TG started task<br />
using the command /P GTF.<br />
► To format GTF trace entries, you will need to enter IPCS from SDSF and then<br />
from option 6 enter the command:<br />
GTF DSN('SYS1.TRACE') USR<br />
Where SYS1.TRACE is your GTF trace data set allocated in your GTF proc (see<br />
Example 7-32 on page 181).<br />
This will then produce the formatted trace output for the EXCI and <strong>CICS</strong> trace<br />
entries. An abbreviated output from the formatted trace is shown in<br />
Example 7-34, showing the ECI return code -7 caused by the our PGMIDERR<br />
condition.<br />
Example 7-34 Formatted GTF EXCI and <strong>CICS</strong> trace entries<br />
EX 8003 JVDLL DATA - CONVERTED_PARAMETER JAVA_TID(Worker-0) NAME(jstrServer) VALUE(SCSCPJA1)<br />
....<br />
EX 8003 JVDLL DATA - CONVERTED_PARAMETER JAVA_TID(Worker-0) NAME(jstrProgram) VALUE(EC01 )<br />
....<br />
EX 1000 XCPRH ENTRY - OPEN_PIPE TOKEN(1B503130) TO <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
....<br />
EX 2001 XCPRH EVENT IRP_CONNECT TO <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
....<br />
EX 1001 XCPRH EXIT - OPEN_PIPE RESPONSE(OK) REASON(OK)
....<br />
EX 1000 XCPRH ENTRY - DPL TO PROGRAM(EC01 ) ON <strong>CICS</strong>(SCSCPJA1) USING PIPE(1B503130) BY<br />
USER(SCSCTG5 )<br />
....<br />
EX 2004 XCPRH EVENT SWITCH_REQUEST SENT TO <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
....<br />
EX 2005 XCPRH DATA DATA SENT ON PIPE(1B503130) BY USER(SCSCTG5 )<br />
....<br />
AP DD18 CRNP EVENT - DEQUEUE WORK ELEMENT TYPE (NEW CONNECT WITH INPUT RECEIVED) TIMESTAMP<br />
(B7F888FFBCB65E06) SCCB AT 7F58B SYSTEM SCSCTG5<br />
....<br />
EX 0802 XCPRH *EXC* - PGMIDERR_DETECTED - PROGRAM(EC01 ) ON <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
....<br />
EX 8011 JVDLL *EXC* - DPL_REQUEST_ERROR ECI_RC(-7)<br />
....<br />
EX 1000 XCPRH ENTRY - CLOSE_PIPE TOKEN(1B503130) TO <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
....<br />
EX 2002 XCPRH EVENT IRP_DISCONNECT FROM <strong>CICS</strong>(SCSCPJA1) BY USER(SCSCTG5 )<br />
Chapter 7. TCP connections to the <strong>Gateway</strong> daemon on z/OS 183
184 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 8. SSL connections to the<br />
<strong>Gateway</strong> daemon on z/OS<br />
8<br />
In this chapter, we show you how we implemented an encrypted Secure Sockets<br />
Layer (SSL) connection from a remote Java client application to our <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) running on z/OS. We used both the System SSL<br />
protocol handler and the Java Secure Sockets Extension (JSSE) SSL protocol<br />
handler. We tested the configuration using the sample Java application EciB1<br />
running as a stand-alone Java application on a Windows workstation. This is<br />
illustrated in Figure 8-1 on page 186.<br />
For details on how to install the <strong>CICS</strong> TG on z/OS and configure the <strong>Gateway</strong><br />
daemon, refer to Chapter 7, “TCP connections to the <strong>Gateway</strong> daemon on z/OS”<br />
on page 133.<br />
For more details on the SSL protocol, refer to Chapter 3, “Security technologies”<br />
in Securing Web Access to <strong>CICS</strong>, SG24-5756.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 185
8.1 Preparation<br />
186 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> following section details the software levels we used in our sample<br />
configuration and gives you a checklist of the definitions required to begin your<br />
configuration.<br />
Windows<br />
Java<br />
application<br />
IP network<br />
SSL<br />
SystemSSL<br />
JSSE SSL<br />
Figure 8-1 Software components: <strong>CICS</strong> TG for z/OS with SSL<br />
z/OS<br />
<strong>CICS</strong> TS<br />
EXCI<br />
<strong>CICS</strong><br />
<strong>Transaction</strong><br />
<strong>Gateway</strong><br />
daemon<br />
In the following section, you will find details on how we:<br />
► Configured Windows to use the JSSE libraries.<br />
► Obtained an externally signed SSL server test certificate and deployed it for<br />
use with the <strong>CICS</strong> TG using the z/OS tool gskkyman.<br />
► Configured a self-signed server certificate and deployed it for use with the<br />
<strong>CICS</strong> TG using the Java tool keytool.<br />
► Created a JSSE client keystore.<br />
► Configured the Java client on Windows to use the <strong>CICS</strong> TG Java classes.
8.1.1 Software checklist<br />
We used the levels of software shown in Table 8-1.<br />
Table 8-1 Software checklist: <strong>CICS</strong> TG for z/OS SSL<br />
Client Workstation z/OS<br />
WIndows 2000 Service Pack 2 z/OS V2.1<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.00 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.00<br />
<strong>IBM</strong> Java Development Kit V1.3.0 <strong>IBM</strong> Java Development Kit V1.3.1S<br />
8.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used to configure this scenario are summarized in Table 8-2<br />
and Table 8-3 on page 188. <strong>The</strong> definitions we used for creating SSL certificates<br />
are listed in Table 8-4 on page 188. Before you configure your components, we<br />
recommend that you document the same parameters for your configuration.<br />
Table 8-2 Definitions checklist: <strong>CICS</strong> TG for z/OS SSL<br />
<strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
JSSE Version 1.0.2 build 20020411. JSSE included in JDK<br />
JCE Version 1.2.1 build 020118.<br />
<strong>CICS</strong> TG for z/OS <strong>CICS</strong> <strong>Transaction</strong> Server Example<br />
hostname wtsc66oe.itso.ibm.com<br />
<strong>CICS</strong> TG network<br />
protocol<br />
System SSL port 8052<br />
JSSE SSL port 8062<br />
pipe NETNAME SCSCTG5<br />
SSL key database and<br />
keystore password<br />
SSL key label and<br />
keystore alias<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 187<br />
ssl<br />
APPLID SCSCPJA1<br />
default<br />
ITSO
8.2 Configuration<br />
188 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Table 8-3 Definitions checklist: <strong>CICS</strong> TG for z/OS SSL JDK configuration<br />
Platform JDK install directory<br />
Windows C:\Program Files\<strong>IBM</strong>\Java13<br />
z/OS /usr/lpp/java/<strong>IBM</strong>/J1.3<br />
Table 8-4 Definitions checklist: Certificate field information<br />
X.500 distinguished<br />
name field<br />
gskkyman field Example<br />
cn common name wtsc66oe.itso.ibm.com<br />
o organization <strong>IBM</strong><br />
ou organization unit ITSO<br />
l city/locality San Jose<br />
s state/province California<br />
c country name US<br />
<strong>The</strong>re are three versions of SSL that you can use with the z/OS <strong>CICS</strong> TG.<br />
► System SSL<br />
► SSLight<br />
► JSSE<br />
We will discuss these in the following sections.<br />
SystemSSL<br />
System SSL is specific to z/OS and uses the native SSL function provided by the<br />
z/OS Integrated Cryptographic Service Facility (ICSF). It offers the added<br />
advantage of being able to utilize the z/OS Cryptographic Coprocessor feature,<br />
which can substantially reduce the CPU cost of SSL handshakes and SSL data<br />
encryption. It is supported by its own key management tool, which is known as<br />
gskkyman, and can use both externally signed and self-signed certificates.<br />
Certificates created and managed by System SSL are held in a key database<br />
file (.kdb).<br />
SSLight<br />
<strong>The</strong> <strong>CICS</strong> TG supports the Java-based SSLight toolkit, which is provided with<br />
<strong>CICS</strong> TG on all platforms (including z/OS). It is supported by the <strong>CICS</strong> TG key
management tool ctgikey, which uses the iKeyman tool; iKeyman uses Java<br />
class files (termed keyrings) to hold certificates.<br />
JSSE<br />
<strong>The</strong> <strong>CICS</strong> TG also supports the Java-based JSSE library that is provided with<br />
<strong>CICS</strong> TG on all platforms (including z/OS). It is supported by the JSSE key<br />
management tools keytool and iKeyman. JSSE uses files (termed keystores)<br />
to hold certificates. Keytool provides a command-line based interface for<br />
manipulating keystores, whereas iKeyman uses a GUI interface. Keytool only<br />
generates X.509 Version 1 certificates, whereas iKeyman generates X.509<br />
Version 3 certificates, which are more flexible than older versions.<br />
Although you have a choice of using System SSL, SSLight, or JSSE on z/OS,<br />
only JSSE or SSLight can be used by the <strong>CICS</strong> TG Java classes on the<br />
workstation (the Java client). System SSL is restricted for use by a <strong>CICS</strong> TG<br />
protocol handler only.<br />
We chose to use JSSE to test with, since it supports a higher level of security<br />
than the SSLight toolkit. JSSE supports a length of 128 bits for the keys used to<br />
encrypt network data, whereas SSLight supports a maximum length of 56 bits.<br />
Because the strength of an encryption is related to the length of the keys used,<br />
128-bit is significantly stronger than 56-bit encryption. An additional<br />
consideration is that support for SSLight might be removed in a future <strong>CICS</strong> TG<br />
release.<br />
To make the <strong>Gateway</strong> daemon and <strong>CICS</strong> TG Java class libraries use JSSE, the<br />
appropriate libraries need to be present in the JDK, and a JSSE keystore is<br />
specified as the key file to use, rather than an SSLight keyring class.<br />
In order to set up a secure SSL connection to our <strong>CICS</strong> TG on z/OS, we<br />
performed the following steps.<br />
Configuring z/OS for JSSE<br />
Because the necessary JSSE libraries were already present in the JDK, we did<br />
not have to modify our z/OS JDK.<br />
Configuring Windows for JSSE<br />
We had to install the JSSE library into the JDK on our Windows workstation. We<br />
also had to install the <strong>IBM</strong> Java Cryptographic Extension (JCE) provider into the<br />
JDK. We did this as follows:<br />
1. We took the two JSSE zip files supplied with the <strong>CICS</strong> TG product<br />
(ibm-jsse.zip and ibm-jce.zip) and copied them into our JDK directory.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 189
190 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2. Using WinZip, we extracted the contents of these zip files into the JDK<br />
directory C:\Program Files\<strong>IBM</strong>\Java13 (Figure 8-2).<br />
Figure 8-2 WinZip extracting the JSSE library into the JDK<br />
3. We selected the Yes to All button when the Confirm File Overwrite window<br />
appeared.<br />
4. We modified the JDK master security properties file java.security located in<br />
the directory C:\Program Files\<strong>IBM</strong>\Java13\jre\lib\security to add the <strong>IBM</strong> JCE<br />
provider to the JDK, as shown below. Note that we placed the <strong>IBM</strong> JCE<br />
provider after the Sun provider that is available with the JDK.<br />
security.provider.1=sun.security.provider.Sun<br />
security.provider.2=com.ibm.crypto.provider.<strong>IBM</strong>JCE
8.2.1 Configuring the server certificate<br />
We configured a server key database for use with System SSL and a server<br />
keystore file for use with JSSE. System SSL used a test certificate from a<br />
certificate authority, whereas JSSE used a self-signed certificate.<br />
System SSL<br />
For System SSL it was necessary to create a server key database, request an<br />
externally signed test certificate, and receive this certificate into our key<br />
database.<br />
Creating a key database on z/OS<br />
We performed the following steps to create our key database on z/OS:<br />
1. In a z/OS UNIX System Services shell we changed directory to the HFS<br />
directory /web/scsctg5 that we were using for our <strong>CICS</strong> TG for z/OS<br />
installation, and entered the gskkyman command to invoke the <strong>IBM</strong> Key<br />
Management Utility.<br />
2. From this menu, we selected Option 1 (Create new key database), as<br />
shown in Example 8-1.<br />
Example 8-1 Creating a new key database<br />
<strong>IBM</strong> Key Management Utility<br />
Choose one of the following options to proceed.<br />
1 - Create new key database<br />
2 - Open key database<br />
3 - Change database password<br />
0 - Exit program<br />
Enter your option number: 1<br />
3. We continued by replying to the following prompts, as shown in Example 8-2.<br />
Example 8-2 Entering details of the new key database<br />
Enter key database name or press ENTER for "key.kdb": systemssl.kdb<br />
Enter password for the key database.......><br />
Enter password again for verification.....><br />
Should the password expire? (1 = yes, 0 = no) [1]: 0<br />
<strong>The</strong> database has been successfully created, do you want to continue to work<br />
with the database now? (1=yes, 0=no) [1]<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 191
192 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
For more details on System SSL and the gskkyman utility, refer to OS/390<br />
V2R10.0 System SSL Programming Guide and Reference, SC24-5877.<br />
Requesting an externally signed test certificate<br />
Once we had created our key database, we performed the following steps to<br />
request an externally signed test certificate.<br />
1. In order to obtain an externally signed certificate from a certificate authority<br />
(CA), we first had to generate a certificate signing request (CSR). We chose<br />
Option 3 (Create New Key Pair and Certificate Request) from the Key<br />
database menu and entered the definitions in Table 8-4 on page 188, as<br />
shown in Example 8-3.<br />
Example 8-3 Creating a new key pair and certificate request<br />
Enter option number (or press ENTER to return to the parent menu): 3<br />
Enter certificate request file name or press ENTER for "certreq.arm":<br />
Enter a label for this key................> ITSO<br />
Select desired key size from the following options (512):<br />
1: 512<br />
2: 1024<br />
Enter the number corresponding to the key size you want: 2<br />
Enter certificate subject name fields in the following.<br />
Common Name (required)................> wtsc66oe.itso.ibm.com<br />
Organization (required)...............> <strong>IBM</strong><br />
Organization Unit (optional)..........> ITSO<br />
City/Locality (optional)..............> San Jose<br />
State/Province (optional).............> California<br />
Country Name (required 2 characters)..> US<br />
Please wait while key pair is created...<br />
Your request has completed successfully, exit gskkyman? (1 = yes, 0 = no) [0]:<br />
Important: When creating the certificate request in gskkyman, we found that<br />
we needed to specify all fields including the optional ones. We could not use<br />
an abbreviation for the state/province; otherwise VeriSign rejected our<br />
certificate signing request.<br />
2. After the certificate had been generated, we checked the contents of the file<br />
(Example 8-4) using the following UNIX System Services command:<br />
cat certreq.arm<br />
Example 8-4 Contents of the certificate request file<br />
$ [SC66] /ctg/scsctg5: cat certreq.arm<br />
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBLDCB1wIBADByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTER<br />
MA8GA1UEBxMIU2FuIEpvc2UxDDAKBgNVBAoTA0lCTTENMAsGA1UECxMESVRTTzEe<br />
MBwGA1UEAxMVd3RzYzY2b2UuaXRzby5pYm0uY29tMFwwDQYJKoZIhvcNAQEBBQAD<br />
SwAwSAJBAMmrTVGvmBpIH2WFB4sbgptMzydLSuMpRsFPyr9uYhmSr0VDi7Vpa4MU<br />
UC3WjMvn/48KJt1sV4Kvl+ZUFbKMK50CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EA<br />
JQXsNdj2o9EZpa5QhjsVZO2nr9eYbWzlLTN2Oj8rVpW4HLudmZxAMys8mnwPjz8g<br />
BtV6UHUQZvh0rQSO4h1WnQ==<br />
-----END NEW CERTIFICATE REQUEST-----<br />
3. <strong>The</strong> next step was to use this file to request an externally signed server<br />
certificate from our chosen CA. We chose to use VeriSign’s test facility, and<br />
applied online for our certificate at their Web site http://www.verisign.com.<br />
Using this method it was merely necessary to fill in an online form, and paste<br />
in our CSR. <strong>The</strong> following is a summary of the process we had to go through:<br />
– <strong>The</strong> first window required us to fill in personal information, such as name,<br />
address, phone number, e-mail address, need for Web security, and your<br />
responsibility for Web security in your company.<br />
– An enrollment window was then displayed with recommendations about<br />
what to do before starting. Following this we were guided through a<br />
five-step process:<br />
i. Generate CSR (we had already done this step).<br />
ii. Submit CSR.<br />
This window asked us to cut and paste the CSR file we had created in<br />
the Base64 Encoded ASCII format. We found the most reliable way<br />
was to FTP our CSR request to Windows and use the Notepad Editor<br />
to cut and paste the CSR into the HTML form. Without this we found<br />
extra characters were copied in the operation, resulting in VeriSign<br />
reporting an fffffffe error.<br />
iii. Complete application data.<br />
This window displayed the information extracted from the CSR request<br />
we had entered, and asked for information about the person to whom<br />
the certificate was to be sent. We submitted our application and were<br />
informed that VeriSign was processing our request.<br />
iv. After a few hours we received an e-mail containing the Base64<br />
Encoded test certificate, signed using the private key from the VeriSign<br />
Test CA root certificate and valid for 14 days. This also contained<br />
instructions about the next two steps: installing the test CA root and<br />
installing the test server ID. However, these steps were not necessary<br />
in our situation since we were using a Java client instead of a Web<br />
browser and the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> instead of a Web server.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 193
194 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: We found that VeriSign would only issue one certificate for a server, so<br />
we were unable to obtain a test certificate to use with our SSL protocol<br />
handler.<br />
Receiving our test certificate<br />
Once we received our test certificate, we copied and pasted this into a file<br />
(verisigncert.arm) on our workstation using the Notepad Editor (being very<br />
careful to remove any trailing space characters), and then transferred this to the<br />
HFS directory /web/scsctg5 on z/OS using FTP in ASCII mode. We then received<br />
this into our key database on z/OS using Option 4 of the Key Database Menu -<br />
Receive a certificate issued for your request.<br />
Example 8-5 Receiving the certificate issued for our request<br />
Enter certificate file name or press ENTER for “cert.arm” verisigncert.arm<br />
Do you want to set the key as the default in your key database?<br />
(1 = yes, 0 = no) [1]<br />
Please wait while certificate is received......<br />
Your request has completed successfully, exit gskkyman?<br />
(1 = yes, 0 = no) [0]: 0<br />
JSSE<br />
For JSSE it was necessary to create a server keystore and create a self-signed<br />
certificate. We used the keytool to complete these steps.<br />
Creating a keystore on z/OS using keytool<br />
We performed the following steps to create our keystore on z/OS using keytool:<br />
1. In a z/OS UNIX System Services shell we changed the directory to the HFS<br />
directory /ctg/scsctg5 we were using for our z/OS <strong>CICS</strong> TG.<br />
2. We used the keytool command in Example 8-6 to invoke the Key<br />
Management Tool to create a keystore with a self-signed certificate in the file<br />
jssesslss.jks.<br />
Example 8-6 Using keytool to create a keystore with a self-signed certificate<br />
keytool -genkey -alias ITSO -keysize 1024<br />
-dname "cn=wtsc66oe.itso.ibm.com,o=<strong>IBM</strong>,ou=ITSO,l=San Jose,s=California,c=US"<br />
-keystore jssesslss.jks -keypass default -storepass default -keyalg RSA<br />
<strong>The</strong> options on the keytool command are as follows:
genkey Generates a key pair and wraps the public key into a<br />
self-signed certificate.<br />
alias Stores the self-signed certificate and private key in a new<br />
keystore entry identified by ITSO.<br />
dname Specifies the X.500 distinguished name to be associated with<br />
the alias. This is used as the issuer and subject fields of the<br />
self-signed certificate. <strong>The</strong> distinguished name consists of a<br />
number of fields separated by commas.<br />
keystore <strong>The</strong> keystore location.<br />
keypass <strong>The</strong> password used to protect the private key.<br />
storepass <strong>The</strong> password used to protect the integrity of the keystore.<br />
keyalg Specifies the algorithm to be used to generate the key pair.<br />
<strong>The</strong> keytool we used generated a self-signed certificate and private key using<br />
a distinguished name that specified the same information as our System SSL<br />
certificate request. <strong>The</strong> values we used for each field are listed in Table 8-4 on<br />
page 188. We specified the RSA algorithm to generate our key pair. We<br />
specified the same password for both the keystore and the private key.<br />
3. To see the self-signed certificate we had created, we used the keytool<br />
command in Example 8-7 to invoke the Key Management Tool to list the<br />
contents of the keystore. We used the -v parameter to show all details of the<br />
certificate in the keystore. Example 8-7 shows that the keystore has one entry<br />
and our certificate is owned by the same distinguished name as it is issued<br />
by.<br />
Example 8-7 Using keytool to list the contents of a keystore<br />
$[SC66] /ctg/scsctg5: keytool -list -v -keystore jssesslss.jks -storepass<br />
default<br />
Keystore type: jks<br />
Keystore provider: SUN<br />
Your keystore contains 1 entry:<br />
Alias name: itso<br />
Creation date: Tue Jun 25 17:10:35 EDT 2002<br />
Entry type: keyEntry<br />
Certificate chain length: 1<br />
Certificate[1]:<br />
Owner: CN=wtsc66oe.itso.ibm.com, O=<strong>IBM</strong>, OU=ITSO, L=San Jose, ST=California,<br />
C=US<br />
Issuer: CN=wtsc66oe.itso.ibm.com, O=<strong>IBM</strong>, OU=ITSO, L=San Jose, ST=California,<br />
C=US<br />
Serial number: 3d18dc4a<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 195
196 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Valid from: Tue Jun 25 17:10:34 EDT 2002 until: Mon Sep 23 17:10:34 EDT 2002<br />
Certificate fingerprints:<br />
MD5: 6D:5B:C0:14:12:E5:E2:47:C1:8E:FE:B8:D5:9D:08:36<br />
SHA1: AA:8D:BF:D5:74:88:E8:72:D9:83:3D:12:E3:03:F3:2E:54:97:74:58<br />
*******************************************<br />
*******************************************<br />
8.2.2 Configuring the client keyring<br />
For the client side, we used the JSSE library to provide an SSL connection.<br />
In order to test the System SSL protocol, we needed to create a JSSE keystore<br />
that contains the signer certificate for the VeriSign Test Certificate Authority who<br />
signed our server certificate, obtained in 8.2.1, “Configuring the server<br />
certificate” on page 191. This is because the client needs the public key of the<br />
signer, contained inside the signer certificate, to decrypt the server certificate<br />
presented to the client during the SSL handshake. If the server certificate is<br />
decrypted successfully, then the client can trust that the certificate is authentic<br />
and SSL communication can occur.<br />
To test the JSSE SSL protocol, we needed to add our self-signed server<br />
certificate to this JSSE keystore. <strong>The</strong> client needs to have the signer certificate of<br />
our server to recognize the certificate the SSL protocol will present to it during<br />
the SSL handshake.<br />
Client keystore for SystemSSL and JSSE<br />
To create a keystore for use with SystemSSL and JSSE, we used the iKeyman<br />
tool, provided with the JSSE libraries, on Windows. We performed the following<br />
steps:<br />
1. From a Windows command prompt we changed into the <strong>CICS</strong> TG bin<br />
directory with the command:<br />
cd C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\bin<br />
2. From a Windows command prompt, we started the iKeyman tool using the<br />
command:<br />
java com.ibm.ikeyman.Ikeyman<br />
<strong>The</strong> initial window is shown in Figure 8-3 on page 197.
Figure 8-3 iKeyman initial window<br />
3. We created a new keystore using Key Database File -> New. This caused<br />
the New window to appear (Figure 8-4). We made sure the Key database type<br />
was JKS and entered jsseclientss.jks in the File Name field. <strong>The</strong> Location<br />
field was already set to the <strong>CICS</strong> TG bin directory.<br />
Figure 8-4 iKeyman new keystore window<br />
4. We clicked OK and were presented with the password prompt window. We<br />
entered the password default.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 197
198 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 8-5 iKeyman password prompt window<br />
5. We clicked OK and were presented with the Signer Certificates window as<br />
shown in Figure 8-6.<br />
Figure 8-6 iKeyman signer certificates window<br />
You can see that the VeriSign Test CA root certificate is supplied by default in<br />
a new keystore as a signer certificate. <strong>The</strong>refore, we did not need to import<br />
this into the keystore.
Tip: We found that iKeyman does not remember the directory the file window<br />
was in the last time it is used, but always opens the directory from where<br />
iKeyman was launched. <strong>The</strong>refore we changed to the <strong>CICS</strong> TG bin directory<br />
before launching iKeyman so that the file window would open there.<br />
To add the signer certificate of our self-signed server certificate to the client<br />
keystore, we performed the following steps:<br />
1. From a z/OS UNIX System Services shell, we changed to the /ctg/scsctg5<br />
directory where our server keystore was.<br />
2. We used the keytool command in Example 8-8 to invoke the Key<br />
Management Tool to export the self-signed certificate from the server<br />
keystore in the file jssesslss.jks into a file called server.der.<br />
Example 8-8 Exporting the self-signed certificate<br />
$ [SC66] /ctg/scsctg5: keytool -export -alias ITSO -file server.der<br />
-keystore jssesslss.jks -storepass default<br />
Certificate stored in file <br />
3. We transferred the server.der file from z/OS to the C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong><br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\bin directory on our Windows workstation using<br />
FTP. We used binary mode for the transfer.<br />
4. From the Signer Certificates window in iKeyman we clicked the Add button.<br />
This caused the Add CA’s Certificate from a File window to appear<br />
(Figure 8-7). We changed the Data type to Binary DER data. We changed the<br />
Certificate file name field to server.der.<br />
Figure 8-7 iKeyman add CA certificate window<br />
5. We clicked the OK button. This displayed the Enter a Label window<br />
(Figure 8-8 on page 200). We entered ITSO ca root certificate into the<br />
window and clicked the OK button.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 199
200 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 8-8 iKeyman enter certificate label window<br />
6. <strong>The</strong> certificate was imported successfully and we were able to view it by<br />
selecting it in the Signer Certificates window and clicking the View/Edit button<br />
(Figure 8-9).<br />
Figure 8-9 iKeyman viewing the self-signed certificate<br />
As can be seen, the certificate is issued to the same distinguished name as it<br />
is issued by. It has also been set as a trusted root in the keystore.
Tip: We found it difficult to tell the difference between the <strong>CICS</strong> TG version of<br />
iKeyman and the JSSE version. <strong>The</strong> only differences we could spot were the<br />
blue icon on the toolbar of the JSSE iKeyman, which allowed a new provider to<br />
be added, and the JSSE version did not have a Recreate Request button on<br />
the Personal Certificates window.<br />
8.2.3 Configuring the <strong>CICS</strong> TG for SSL<br />
We had to configure our <strong>CICS</strong> TG to enable System SSL and JSSE SSL.<br />
System SSL configuration<br />
We performed the following steps to configure our <strong>CICS</strong> TG to be able to use our<br />
SystemSSL server certificate:<br />
1. When using System SSL, binaries and data sets for the product code must be<br />
marked as program controlled, as must any key database file (.kdb). We<br />
performed this using the following extattr commands:<br />
extattr +p /usr/lpp/gskssl/lib/*<br />
extattr +p /usr/lpp/gskssl/bin/*<br />
extattr +p /web/scsctg5/systemssl.kdb<br />
Before issuing extattr commands, we required Resource Access Control<br />
Facility (RACF) access to the BPX.FILEATTR.PROGCTL profile. This was<br />
obtained by using the following command:<br />
PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ID(<strong>CICS</strong>RS3) ACCESS(READ)<br />
SETROPTS RACLIST(FACILITY) REFRESH<br />
We verified that the files were program controlled using the ls -E command<br />
from OMVS. <strong>The</strong> second set of attributes are the extended ones. <strong>The</strong> second<br />
column of these should contain the character “p”.<br />
2. We modified our <strong>CICS</strong> TG configuration file (/ctg/scsctg5/CTG.INI) to activate<br />
the SystemSSL protocol handler to use our SystemSSL server certificate, as<br />
shown in Example 8-9.<br />
Example 8-9 Enabling the SystemSSL protocol handler<br />
protocol@systemssl_ssl.handler=com.ibm.ctg.server.GskSslHandler<br />
protocol@systemssl_ssl.parameters=port=8052;sotimeout=1000;\<br />
connecttimeout=2000;idletimeout=600000;pingfrequency=60000;\<br />
keyring=/ctg/scsctg5/systemssl.kdb;keyringpw=default;clientauth=off;<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 201
202 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
You can see that the <strong>CICS</strong> TG is configured to listen on port 8052 for SSL<br />
requests, and has access to systemssl.kdb, where we stored our server<br />
certificate.<br />
SSL client authentication<br />
It is also possible to associate an SSL client certificate with a RACF user ID. This<br />
is useful if you wish to use SSL client authentication to identify your <strong>CICS</strong> TG<br />
user, as opposed to a RACF user ID and password. We did not do this in our test<br />
scenario, but to do this you need to run the TSO command RACDCERT. <strong>The</strong><br />
certificate supplied from the CA is used to create a matching profile in the RACF<br />
CLASS(DIGTCERT). <strong>The</strong> syntax of RACDCERT is:<br />
RACDCERT ADD(‘<strong>CICS</strong>RS3.CERT.ARM’) TRUST ID(<strong>CICS</strong>RS3)<br />
Where <strong>CICS</strong>RS3.CERT.ARM is a z/OS sequential file of Virtual Basic (VB) format<br />
that has been copied from the public key certificate (in our case the Hierarchical<br />
File System [HFS] file verisigncert.arm) using the OMVS copy command. When<br />
you issue the RACDCERT command, RACF creates a digital certificate profile in<br />
CL(DIGTCERT) with TRUST status that associates a certificate with a user ID.<br />
This profile can then be used to translate a certificate into a user ID. For more<br />
information, see OS/390 SecureWay Security Server RACF Command<br />
Language Reference, SC28-1919.<br />
JSSE SSL configuration<br />
We performed the following steps to configure our <strong>CICS</strong> TG to be able to use our<br />
JSSE SSL server certificate:<br />
1. We modified the <strong>CICS</strong> TG configuration file (/ctg/scsctg5/CTG.INI) to activate<br />
the SSL protocol handler to use our JSSE server keystore.<br />
Example 8-10 Enabling the SSL protocol handler<br />
protocol@ssl.handler=com.ibm.ctg.server.SslHandler<br />
protocol@ssl.parameters=connecttimeout=2000;idletimeout=60000;\<br />
keyring=/ctg/scsctg5/jssesslss.jks;keyringpw=default;\<br />
pingfrequency=60000;port=8062;solinger=0;sotimeout=1000;<br />
You can see that the <strong>CICS</strong> TG is configured to listen on port 8062 for SSL<br />
requests, and has access to jssesslss.jks, where we stored our self-signed<br />
server certificate. Because we specified a keystore file in the keyring parameter,<br />
the <strong>CICS</strong> TG will use JSSE to provide SSL support.
8.3 Testing the configuration<br />
To test our configuration, we used the <strong>CICS</strong> TG sample Java application EciB1.<br />
This is installed in the <strong>CICS</strong> TG samples directory, inside the java subdirectory.<br />
<strong>The</strong> sample’s Java class is defined to be in the Java package<br />
com.ibm.ctg.samples.eci, so the sample source file is stored under the following<br />
directory structure:<br />
com/ibm/ctg/samples/eci<br />
<strong>The</strong> full path to the EciB1 sample on our Windows system is:<br />
C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\samples\java\<br />
com\ibm\ctg\samples\eci\EciB1.java<br />
<strong>The</strong> sample is also provided in a compiled form inside ctgsamples.jar.<br />
We used EciB1 from our Windows 2000 workstation to call the <strong>CICS</strong> program<br />
EC01 via SystemSSL and JSSE. <strong>The</strong> EciB1 application flows an ECI request to a<br />
connected <strong>CICS</strong> region through a specified <strong>Gateway</strong> (Figure 8-10) and invokes<br />
the program EC01. <strong>The</strong> <strong>Gateway</strong> URL is specified as an input parameter. <strong>The</strong><br />
<strong>CICS</strong> region is entered at the interactive prompt.<br />
Windows<br />
wtsc66oe.itso.ibm.com<br />
z/OS<br />
ctgclient.jar<br />
ctgsamples.jar<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong><br />
JVM<br />
EciB1<br />
SSL Keystore<br />
Ikeyman<br />
SSL handshake<br />
encrypted ECI<br />
request<br />
<strong>Gateway</strong><br />
daemon<br />
SSL Keystore<br />
EXCI<br />
via IRC<br />
Figure 8-10 <strong>CICS</strong> TG for z/OS SSL software configuration for remote testing<br />
After we installed and configured the software components as illustrated in<br />
Figure 8-10, we tested our configurations as follows:<br />
JNI<br />
System SSL<br />
Key database<br />
keytool<br />
EXCI<br />
gskkyman<br />
EC01<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 203
204 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
1. We started the <strong>CICS</strong> TG on z/OS as a started task from SDSF using the<br />
command /S SCSCTG5. Once the <strong>CICS</strong> TG had started the original job,<br />
SCSCTG5 was left running but paged out, and a child process SCSCTG55<br />
was left running and paged in. SCSCTG55 is the <strong>CICS</strong> TG daemon that is<br />
running in UNIX System Services. This is shown in Example 8-11.<br />
Example 8-11 <strong>CICS</strong> TG started tasks in SDSF<br />
SDSF DA SC66 SC66 PAG 0 SIO 322 CPU 7/ 6 DATA SET DISPLAYED<br />
COMMAND INPUT ===> SCROLL ===> CSR<br />
NP JOBNAME StepName ProcStep JobID Owner C Pos DP Real Paging SIO<br />
SCSCTG55 *OMVSEX STC11097 CTGUSER IN F7 25T 0.00 0.42<br />
SCSCTG5 SCSCTG5 *OMVSEX STC12191 CTGUSER LO FF 283 0.00 0.00<br />
2. Once the <strong>CICS</strong> TG had started, we checked the log file<br />
/ctg/scsctg5/logs/ctg.stdout for the message CCL6524I, indicating the System<br />
SSL and SSL protocol handlers had successfully started (see Example 8-12).<br />
Example 8-12 Successful start of the <strong>CICS</strong> TG as seen in ctg.stdout<br />
CTG6111I File 'ctgenvvar' found. Using the configuration in script 'ctgenvvar'<br />
to start up the application.<br />
06/26/02 : 12:44:23:257 : <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, Version 5.0.0 Pre-release,<br />
5724-D12. Build Level c000-20020621.<br />
06/26/02 : 12:44:23:260 : (C) Copyright <strong>IBM</strong> Corporation 1999, 2002. All rights<br />
reserved.<br />
06/26/02 : 12:44:23:354 : CCL8400I: Using ini file /ctg/scsctg5/CTG.INI.<br />
06/26/02 : 12:44:23:356 : CCL6577I: Java version is 1.3.1.<br />
06/26/02 : 12:44:23:357 : CCL6502I: Initial ConnectionManagers = 10, Maximum<br />
ConnectionManagers = 90,<br />
06/26/02 : 12:44:23:359 : CCL6502I: Initial Workers = 10, Maximum Workers = 90,<br />
tcp: Port = 2006<br />
06/26/02 : 12:44:23:360 : CCL6574I: Connection logging has been disabled.<br />
06/26/02 : 12:44:24:166 : CCL6505I: Successfully created the initial<br />
ConnectionManager and Worker threads.<br />
06/26/02 : 12:44:26:779 : CCL8402I: JSSE libraries selected for use.<br />
06/26/02 : 12:44:26:780 : CCL8405I:<br />
06/26/02 : 12:44:28:441 : CCL8401I: <strong>The</strong> Following Ciphers are Enabled:<br />
06/26/02 : 12:44:28:442 : SSL_RSA_WITH_RC4_128_MD5<br />
06/26/02 : 12:44:28:442 : SSL_RSA_WITH_RC4_128_SHA<br />
06/26/02 : 12:44:28:442 : SSL_RSA_WITH_DES_CBC_SHA<br />
...<br />
06/26/02 : 12:44:28:457 : CCL6524I: Successfully started handler for the ssl:<br />
protocol.<br />
06/26/02 : 12:44:34:514 : CCL6524I: Successfully started handler for the<br />
systemssl_ssl: protocol.<br />
06/26/02 : 12:44:34:541 : CCL6524I: Successfully started handler for the tcp:<br />
protocol.
<strong>The</strong> message CCL8402I also indicated that the JSSE libraries were selected.<br />
This is because we had supplied the name of a keystore file in the CTG.INI<br />
file. <strong>The</strong> <strong>CICS</strong> TG also outputs a long list of the ciphers that are enabled in the<br />
JSSE SSL protocol handler.<br />
3. We checked the state of the TCP/IP sockets on our UNIX System Services<br />
TCP/IP stack using the onetstat command from OMVS. This showed us the<br />
output in Example 8-13 and indicates that the <strong>Gateway</strong> daemon was indeed<br />
listening on port 8052 and 8062 for requests.<br />
Example 8-13 Partial output from the onetstat command<br />
$ [SC66] /ctg/scsctg5/logs: onetstat<br />
MVS TCP/IP onetstat CS V1R2 TCPIP Name: TCPIPOE 14:30:48<br />
User Id Conn Local Socket Foreign Socket State<br />
------- ---- ------------ -------------- -----<br />
SCSCTG55 00001827 0.0.0.0..8052 0.0.0.0..0 Listen<br />
SCSCTG55 00001825 0.0.0.0..8062 0.0.0.0..0 Listen<br />
We could have checked the ports were listening using the ScanPort utility. For<br />
further information see “Testing the configuration” on page 52.<br />
4. Next, we checked basic IP connectivity from our Windows 2000 workstation to<br />
our z/OS system using the ping command from a Windows 2000 prompt (see<br />
Example 8-14).<br />
Example 8-14 Output from the ping command on Windows<br />
C:\>ping wtsc66oe.itso.ibm.com<br />
Pinging wtsc66oe.itso.ibm.com [9.12.6.29] with 32 bytes of data:<br />
Reply from 9.12.6.29: bytes=32 time=140ms TTL=243<br />
Reply from 9.12.6.29: bytes=32 time=120ms TTL=243<br />
Reply from 9.12.6.29: bytes=32 time=120ms TTL=243<br />
Reply from 9.12.6.29: bytes=32 time=110ms TTL=243<br />
Ping statistics for 9.12.6.29:<br />
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />
Approximate round trip times in milli-seconds:<br />
Minimum = 110ms, Maximum = 140ms, Average = 122ms<br />
Once we knew everything was working, we then tested from a Windows 2000<br />
workstation. We performed the following steps:<br />
1. We set the CLASSPATH on Windows 2000 to include ctgclient.jar and<br />
ctgsamples.jar using the following command:<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 205
206 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
set CLASSPATH=C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgclient.jar;c:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgsamples.jar;<br />
2. We changed the working directory to the <strong>CICS</strong> TG bin directory with the<br />
command:<br />
cd \Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\bin<br />
3. We then ran EciB1 using the command in Example 8-15.<br />
Example 8-15 Command to run EciB1 from Windows against SystemSSL<br />
java com.ibm.ctg.samples.eci.EciB1 ssl://wtsc66oe.itso.ibm.com 8052<br />
jsseclientss.jks default<br />
– You can see the first parameter after the EciB1 call is the location of the<br />
<strong>CICS</strong> TG server. We specified the ssl protocol here.<br />
– <strong>The</strong> second parameter on the EciB1 line is the <strong>CICS</strong> TG port on the z/OS<br />
gateway. Our gateway is listening on port 8052 with the System SSL<br />
protocol handler, so we specify it here.<br />
– <strong>The</strong> third parameter is the SSL classname or keystore. We specified the<br />
client keystore we had in the <strong>CICS</strong> TG bin directory here.<br />
– <strong>The</strong> final parameter to EciB1 is the SSL keystore password. We specified<br />
the password we had used to protect the keystore here.<br />
This ran the compiled version of EciB1 inside ctgsamples.jar and connected<br />
to the <strong>CICS</strong> TG on our z/OS system, using the SSL support provided by JSSE<br />
on Windows and SystemSSL on z/OS. <strong>The</strong> jsseclientss.jks keystore specified<br />
when we ran the command was in the working directory.<br />
4. We entered 1 at the prompt to select our <strong>CICS</strong> server. <strong>The</strong> result of our test is<br />
given in Example 8-16. As shown, EC01 returned the time and date on our<br />
<strong>CICS</strong> server.<br />
Example 8-16 Output from EciB1<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Basic ECI Sample 1<br />
-------------------------------------------<br />
Usage: java com.ibm.ctg.samples.eci.EciB1 [<strong>Gateway</strong> Url]<br />
[<strong>Gateway</strong> Port Number]<br />
[SSL Classname]<br />
[SSL Password]<br />
To enable client tracing, run the sample with the following Java option:<br />
-Dgateway.T.trace=on<br />
<strong>The</strong> address of the <strong>Gateway</strong> has been set to ssl://wtsc66oe.itso.ibm.com<br />
Port:8052
<strong>CICS</strong> Servers Defined:<br />
1. SCSCPJA1 -<br />
Choose Server to connect to, or q to quit:<br />
1<br />
Program EC01 returned with data:-<br />
Hex: 32362f30362f30322031363a33303a30310<br />
ASCII text: 26/06/02 16:30:01<br />
5. We then tested the JSSE SSL protocol handler. We ran EciB1 using the<br />
command in Example 8-17.<br />
Example 8-17 Command to run EciB1 from Windows against SSL<br />
java com.ibm.ctg.samples.eci.EciB1 ssl://wtsc66oe.itso.ibm.com 8062<br />
jsseclientss.jks default<br />
– <strong>The</strong> CLASSPATH is identical to the System SSL test. This is because from<br />
the client we use the JSSE libraries to test both SSL protocol handlers.<br />
– <strong>The</strong> parameters on the EciB1 call are the same as those for the System<br />
SSL test with the exception of the port number. We specified port 8062,<br />
since this was where the JSSE SSL protocol handler was listening. <strong>The</strong><br />
other parameters are the same because, from the client perspective, we<br />
are using the same protocol to communicate with the <strong>CICS</strong> TG. We use<br />
the same keystore because it contains the self-signed certificate we added<br />
in “Client keystore for SystemSSL and JSSE” on page 196.<br />
This ran the compiled version of EciB1 inside ctgsamples.jar and connected<br />
to the <strong>CICS</strong> TG on our z/OS system, using the SSL support provided by JSSE<br />
on Windows and JSSE on z/OS. <strong>The</strong> only difference from the previous<br />
command is that we specified port 8062 where the SSL protocol handler was<br />
listening.<br />
6. We entered 1 at the prompt to select our <strong>CICS</strong> server. <strong>The</strong> successful output<br />
of EciB1 was again identical to that shown in Example 8-16 on page 206,<br />
apart from the date returned by EC01.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 207
8.4 Problem determination<br />
8.4.1 Tips and utilities<br />
208 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In this section, we document information we learned while configuring this<br />
scenario, and further information on problem determination and tracing.<br />
We found the keytool utility useful for verifying that we had specified the correct<br />
password for a keystore and that a keystore was intact. <strong>The</strong> following keytool<br />
command lists the contents of the keystore jsseclientss.jks using the password<br />
default:<br />
keytool -list -keystore jsseclientss.jks -storepass default<br />
If the password was incorrect, the following error is output:<br />
keytool error: java.io.IOException: Keystore was tampered with, or password<br />
was incorrect<br />
If the keystore is corrupt, the following error is output:<br />
keytool error: java.io.IOException: Invalid keystore format<br />
In the following sections, we detail common errors we came across when setting<br />
up JSSE and testing SSL.<br />
CCL6525E Unable to start handler for the ssl: protocol<br />
This error message can appear in the <strong>CICS</strong> TG log for a number of reasons. <strong>The</strong><br />
<strong>CICS</strong> TG will also give the exception message that occurred in the underlying<br />
library. This can be used to determine what went wrong.<br />
► If the keystore password is incorrect, the message will be<br />
[java.io.IOException: Keystore was tampered with, or password was<br />
incorrect]. An incorrect password is the most common cause of this error.<br />
Verify the keystore password using the keytool command.<br />
► <strong>The</strong> message [java.io.IOException: Algorithm IbmX509 not available]<br />
indicates that the JSSE libraries are not installed correctly. This is caused by<br />
not having the correct versions of ibmjsse.jar, ibmjcefw.jar, ibmjceprovider.jar<br />
in the JDK’s ext directory.<br />
► If the message CCL8403I SSLight libraries selected for use is output<br />
earlier in the <strong>CICS</strong> TG log, and a JSSE keystore is being used, the JSSE<br />
libraries are not installed in the JDK used by the <strong>CICS</strong> TG. <strong>The</strong> CCL6525E<br />
message will be followed by [java.io.IOException: Keystore was tampered<br />
with, or password was incorrect].
► If the keystore is not in the location referenced by CTG.INI, the message will<br />
state java.io.FileNotFoundException, will give the file name specified for the<br />
keystore, and will state (<strong>The</strong> system cannot find the file specified).<br />
► If the port number the <strong>CICS</strong> TG is trying to listen on is already in use by<br />
another system, the message will state [java.net.BindException: Address<br />
in use: bind]. <strong>The</strong> onetstat command can be used to see if another system<br />
is using the desired port.<br />
Unable to start handler for the system_ssl: protocol<br />
<strong>The</strong> error message CCL6525E: Unable to start handler for the system_ssl:<br />
protocol can appear in the <strong>CICS</strong> TG log for a number of reasons. <strong>The</strong> <strong>CICS</strong> TG<br />
will also give the exception message that occurred in the underlying library. This<br />
can be used to determine what went wrong.<br />
► If the key database password is incorrect, the message will be<br />
[java.io.IOException: rc=4]. Check that the key database password<br />
specified is correct by trying to open it using gskkyman.<br />
► If the message reads [java.io.IOException: rc=2], we found one of two<br />
errors can cause this:<br />
– <strong>The</strong> key database (.kdb and .rdb files) is not in the location specified in<br />
CTG.INI, so they cannot be found by the <strong>CICS</strong> TG.<br />
– <strong>The</strong> key database file does not have the correct permissions to allow the<br />
<strong>CICS</strong> TG to read it. Check that the file permissions are correct with the<br />
command ls -l systemssl.kdb.<br />
► If the port number the <strong>CICS</strong> TG is trying to listen on is already in use by<br />
another system, the message will state [java.io.IOException: rc=-1]. <strong>The</strong><br />
onetstat command can be used to see if another system is using the desired<br />
port.<br />
CCL6651E: Unable to connect to the <strong>Gateway</strong><br />
This error message can appear on the Java client application when something<br />
goes wrong connecting to the <strong>CICS</strong> TG using SSL.<br />
► If the message [java.io.IOException: Invalid keystore format] appears<br />
and the application is being run on z/OS, check that binary mode was used to<br />
upload the client keystore to the z/OS system. Trying to use a keystore that<br />
was uploaded using ASCII mode will cause this error. Verify that the keystore<br />
is intact using the keytool utility.<br />
► <strong>The</strong> message [java.io.IOException: Keystore was tampered with, or<br />
password was incorrect] again strongly suggests that the keystore password<br />
supplied by the client application is incorrect. Verify the keystore password<br />
using the keytool command.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 209
210 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► If the keystore cannot be found by the Java application, the message will state<br />
java.io.FileNotFoundException, will give the file name specified for the<br />
keystore, and will state (<strong>The</strong> system cannot find the file specified).<br />
Check that the filename specified for the keystore is correct.<br />
CCL6668E: Initial handshake flow failed<br />
This error message appears on the Java client application when the SSL<br />
handshake with the <strong>CICS</strong> TG fails.<br />
► If the message is [javax.net.ssl.SSLHandshakeException: unknown<br />
certificate], then the signer certificate of the key used in the <strong>CICS</strong> TG<br />
server is not present in the keystore used by the client Java application. This<br />
happens if you try to use the SSL-only keystore jsseclientsslonly.jks to<br />
connect to the System SSL protocol handler, or if the self-signed <strong>CICS</strong> TG<br />
certificate is not imported into the client keystore. iKeyman or keytool can be<br />
used to view the certificates present in a keystore.<br />
► If the message states [ERROR_CONNECTION_FAILED], check that the <strong>CICS</strong> TG<br />
protocol has been specified as ssl:// and not tcp://. Using the TCP<br />
protocol to connect to an SSL protocol handler will generate this error.<br />
► If the message contains [javax.net.ssl.SSLProtocolException: end of<br />
file], check that the application has specified an SSL protocol handler and<br />
not a TCP protocol handler. Trying to connect to a TCP protocol handler using<br />
ssl:// will also result in this error. Also, check that the <strong>Gateway</strong> daemon<br />
certificate has not expired. Using an expired System SSL certificate will<br />
generate this error on the client application.<br />
iKeyman error message when loading a keystore<br />
When loading a keystore into iKeyman the window in Figure 8-11 might appear.<br />
This can be caused by specifying the wrong password at the password prompt.<br />
<strong>The</strong> same window is caused when the keystore is corrupt, if it was transferred<br />
using FTP in ASCII mode for example.<br />
Figure 8-11 iKeyman loading error message
8.4.2 Tracing<br />
Testing JSSE under z/OS<br />
We found running the following test from z/OS UNIX System Services useful to<br />
quickly verify that the JSSE SSL protocol handler was working correctly. We<br />
performed the following steps:<br />
1. From a z/OS UNIX System Services shell, we changed to the /ctg/scsctg5<br />
directory where our server keystore was.<br />
2. We used the keytool command in Example 8-8 on page 199 to invoke the<br />
Key Management Tool to export the self-signed certificate from the server<br />
keystore in the file jssesslss.jks into a file called server.der.<br />
3. We used the keytool command in Example 8-18 to invoke the Key<br />
Management Tool to import the self-signed certificate from the file server.der<br />
into the keystore jsseclientsslonly.jks, identified by the alias ITSO. Because<br />
this keystore did not exist, keytool created it. <strong>The</strong> keystore password was set<br />
to default.<br />
Example 8-18 Creating a client keystore with the self-signed certificate<br />
$ [SC66] /ctg/scsctg5: keytool -import -alias ITSO -file server.der<br />
-keystore jsseclientsslonly.jks -storepass default<br />
Certificate was added to keystore<br />
This added our self-signed server certificate into the keystore as a trusted CA.<br />
4. We used the commands in Example 8-19 to set the CLASSPATH and run<br />
EciB1 against the JSSE SSL protocol handler.<br />
Example 8-19 Commands to test JSSE SSL using the SSL-only keystore<br />
export CLASSPATH=/usr/lpp/ctg500/ctg/classes/ctgclient.jar<br />
export CLASSPATH=$CLASSPATH:/usr/lpp/ctg500/ctg/classes/ctgsamples.jar<br />
java com.ibm.ctg.samples.eci.EciB1 ssl://wtsc66oe.itso.ibm.com 8062<br />
/ctg/scsctg5/jsseclientsslonly.jks default<br />
<strong>The</strong> commands ran the compiled version of EciB1 inside ctgsamples.jar and<br />
connected to the <strong>CICS</strong> TG on our z/OS system using the SSL support provided<br />
by the JSSE library on both client and <strong>CICS</strong> TG. We entered 1 at the prompt to<br />
select our <strong>CICS</strong> server. <strong>The</strong> results of our test was identical to that shown in<br />
Example 8-16 on page 206, except the time and date on our <strong>CICS</strong> server was<br />
different.<br />
For information on tracing the <strong>CICS</strong> TG on z/OS, refer to the tracing section of<br />
Chapter 7, “TCP connections to the <strong>Gateway</strong> daemon on z/OS” on page 133.<br />
Chapter 8. SSL connections to the <strong>Gateway</strong> daemon on z/OS 211
212 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 9. TCP connections to the<br />
<strong>Gateway</strong> daemon on Linux<br />
In this chapter, we show you how we implemented a TCP connection from a<br />
remote Java client application to our <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG)<br />
running on Linux for S/390.<br />
This chapter covers the following topics:<br />
► Preparation<br />
► Configuration<br />
► Problem determination<br />
9<br />
For details on how we configured the TCP/IP connection from the <strong>CICS</strong> TG on<br />
Linux to our <strong>CICS</strong> TS region on z/OS, refer to Chapter 5, “TCP/IP connections to<br />
<strong>CICS</strong>” on page 81.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 213
9.1 Preparation<br />
214 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> following sections details the software levels we used in our sample<br />
configuration (Figure 9-1), and some instructions on how to install the <strong>CICS</strong> TG<br />
for Linux in quick and proper fashion, to begin your configuration.<br />
Windows 2000<br />
Java Application<br />
<strong>CICS</strong> TG<br />
Java<br />
classes<br />
TCP/IP<br />
Figure 9-1 Software components: <strong>CICS</strong> TG on Linux<br />
9.1.1 Software checklist<br />
TCP<br />
We used the levels of software described in Table 9-1.<br />
Table 9-1 Software checklist: <strong>CICS</strong> TG on Linux<br />
Linux for S/390<br />
<strong>CICS</strong><br />
<strong>Transaction</strong><br />
<strong>Gateway</strong><br />
daemon<br />
TCP/IP<br />
Client<br />
daemon<br />
Client workstation Server system z/OS<br />
Windows 2000 Service Pack 2 SuSE Linux Enterprise Server 7<br />
for S/390 and zSeries®<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for<br />
Windows <strong>V5</strong>.0<br />
<strong>IBM</strong> Java Development Kit<br />
V1.3.0<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for<br />
Linux <strong>V5</strong>.0<br />
<strong>IBM</strong> Java Development Kit<br />
V1.3.1<br />
TCP/IP<br />
z/OS V1.2<br />
z/OS<br />
<strong>CICS</strong> TS<br />
(SCSCPJA1)<br />
TCP/IP<br />
<strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
<strong>IBM</strong> Java Development Kit<br />
V1.3.1<br />
Communications Server V2.8<br />
(includes VTAM and TCP/IP)
9.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used in this scenario are summarized in Table 9-2. Before you<br />
configure the products, we recommend that you acquire definitions for each<br />
parameter listed.<br />
Table 9-2 Definitions checklist: <strong>CICS</strong> TG on Linux<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>CICS</strong> <strong>Transaction</strong> Server Example<br />
hostname vmlinux1.itso.ibm.com<br />
<strong>CICS</strong> TG network protocol tcp:<br />
port 2006<br />
<strong>CICS</strong> Server name APPLID SCSCPJA1<br />
<strong>CICS</strong> Server hostname wtsc66oe.itso.ibm.com<br />
<strong>CICS</strong> Server TCP/IP port TCPIPSERVICE PORT 8018<br />
Note that we also had to deploy the sample <strong>CICS</strong> COBOL application EC01,<br />
which is provided in the server directory in the <strong>CICS</strong> TG samples directory.<br />
We also had to configure a DFHCNV data conversion template in <strong>CICS</strong> for use<br />
by this program. Refer to Appendix A, “DFHCNV and <strong>CICS</strong> data conversion” on<br />
page 329 for more details.<br />
9.1.3 Installation of the <strong>CICS</strong> TG<br />
<strong>The</strong> following section details how we installed the <strong>CICS</strong> TG on our Linux system.<br />
Enabling the FTP service on Linux<br />
We had to enable the FTP service on Linux. We did this as follows:<br />
1. We edited the Linux internet super-server (inetd) configuration file<br />
/etc/inetd.conf and uncommented the line defining the FTP service, as shown<br />
in Example 9-1.<br />
Example 9-1 Enabling the FTP service in /etc/inetd.conf<br />
# <strong>The</strong>se are standard services.<br />
#<br />
# ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -a<br />
ftp stream tcp nowait root /usr/sbin/tcpd proftpd<br />
# ftp stream tcp nowait root /usr/sbin/tcpdin.ftpd<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 215
216 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2. We checked that the user ID we were going to use to log into the FTP service<br />
was not listed in the file /etc/ftpusers. This file defines users who are not<br />
allowed to log into the FTP service.<br />
3. We used the command /etc/init.d/inetd restart to restart the inetd<br />
daemon, the output of which is shown in Example 9-2.<br />
Example 9-2 Restarting the inetd daemon<br />
root@vmlinux1:/etc > /etc/init.d/inetd restart<br />
Shutting down inetd done<br />
Starting inetd done<br />
Note: Here we enabled the proftpd FTP server daemon. We could have<br />
enabled one of the other FTP server daemons in the inetd configuration file,<br />
for example in.ftpd, but we preferred proftpd because it is more configurable.<br />
<strong>The</strong> Red Hat Package Manager<br />
Before showing how we installed the <strong>CICS</strong> TG, we should first explain how it is<br />
installed onto Linux using the Red Hat Package Manager (RPM).<br />
<strong>The</strong> Red Hat Package Manager is a powerful package manager, present on<br />
many Linux distributions, which can be used to install, query, update, and<br />
uninstall individual software packages. A package consists of an archive of files<br />
and package information, including name, version and description. <strong>The</strong> Red Hat<br />
Package Manager maintains a database of software packages installed onto the<br />
system, which users can interact with using the rpm command.<br />
When the <strong>CICS</strong> TG install process is run, the rpm command is used to install the<br />
<strong>CICS</strong> TG onto the system. Once the <strong>CICS</strong> TG is installed, rpm can be used to<br />
display, among other things, details of the <strong>CICS</strong> TG and where it is installed. It is<br />
also used to uninstall the <strong>CICS</strong> TG.<br />
Transferring the <strong>CICS</strong> TG files to Linux<br />
<strong>The</strong> <strong>CICS</strong> TG is supplied as an rpm file called ctg-5.0.0-1l.s390.rpm, which must<br />
be uploaded onto the Linux file system.<br />
We transferred it directly to the /tmp directory on our Linux system. Example 9-3<br />
shows the transcript of our FTP session. Note that we used binary mode for the<br />
transfer, as we did not want FTP to perform data conversion on the tar archive.<br />
Example 9-3 Example FTP upload session<br />
C:\temp>ftp vmlinux1.itso.ibm.com<br />
Connected to vmlinux1.itso.ibm.com.<br />
220 ProFTPD 1.2.2rc2 Server (powered by SuSE Linux) [vmlinux1.itso.ibm.com]
User (vmlinux1.itso.ibm.com:(none)): cicsrs3<br />
331 Password required for cicsrs3.<br />
Password:<br />
230 User cicsrs3 logged in.<br />
ftp> cd /tmp<br />
250 CWD command successful.<br />
ftp> bin<br />
200 Type set to I.<br />
ftp> put ctg-5.0.0-1.s390.rpm<br />
200 PORT command successful.<br />
150 Opening BINARY mode data connection for ctg-5.0.0-1.s390.rpm.<br />
226 Transfer complete.<br />
Once we had uploaded the <strong>CICS</strong> TG install RPM, we performed the following<br />
steps.<br />
Installing the <strong>CICS</strong> TG<br />
We installed the <strong>CICS</strong> TG RPM using the command rpm -Uvh<br />
ctg-5.0.0-1.s390.rpm, which made the Red Hat Package Manager program<br />
install the <strong>CICS</strong> TG into the /opt/ctg/ directory. We then ran the <strong>CICS</strong> TG install<br />
script ctginstall, which was created when the <strong>CICS</strong> TG was installed. <strong>The</strong><br />
transcript is shown in Example 9-4.<br />
Example 9-4 Installing the <strong>CICS</strong> TG<br />
root@vmlinux1:/ > cd /tmp<br />
root@vmlinux1:/tmp > rpm -Uvh ctg-5.0.0-1.s390.rpm<br />
ctg #################################################<br />
Run the command 'ctginstall' to complete the installation.<br />
root@vmlinux1:/tmp >ctginstall<br />
This displayed the <strong>CICS</strong> TG install prompt asking us to enter 1 to view the<br />
license agreement, as shown in Example 9-5.<br />
Example 9-5 <strong>CICS</strong> TG install script license prompt<br />
To install <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> you must accept the following license<br />
agreement.<br />
If the license file does not display<br />
correctly, try restarting the<br />
installation using the command:<br />
'/opt/ctg/bin/ctgsetup 40'.<br />
Enter 1 to view the license, or 2 to quit.<br />
We viewed the agreement by entering 1. We entered 1 repeatedly until we had<br />
viewed the entire license agreement, as shown in Example 9-6 on page 218.<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 217
218 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Example 9-6 <strong>CICS</strong> TG license agreement prompt<br />
Specified Operating Environment<br />
<strong>The</strong> Program's specifications and specified operating environment information<br />
may be found in documentation accompanying the Program, if available, such as a<br />
read-me file, or other information published by <strong>IBM</strong>, such as an announcement<br />
letter.<br />
U.S. Government Users Restricted Rights<br />
U.S. Government Users Restricted Rights - Use, duplication, or disclosure<br />
restricted by the GSA ADP Schedule Contract with the <strong>IBM</strong> Corporation.<br />
D/N: L-TMAN-57QH8C<br />
P/N: L-TMAN-57QH8C<br />
Example 9-8 Using the rpm command to query the installed <strong>CICS</strong> TG<br />
root@vmlinux1:/tmp > rpm -qi ctg<br />
Name : ctg Relocations: (not relocateable)<br />
Version : 5.0.0 Vendor: <strong>IBM</strong> Corporation.<br />
Release : 1 Build Date: Fri 21 Jun 2002<br />
11:30:17 AM EST<br />
Install date: Mon 01 Jul 2002 05:32:47 PM EDT Build Host:<br />
winlnx01.hursley.ibm.com<br />
Group : Application/Communications Source RPM: ctg-5.0.0-1.src.rpm<br />
Size : 30170845 License: <strong>IBM</strong> OCO - see other<br />
documentation for licence terms.<br />
URL : http://www.ibm.com/software/ts/cics<br />
Summary : <strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for Linux.<br />
Description :<br />
This is the <strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for Linux.<br />
It provides connectivity to <strong>CICS</strong> servers on various platforms from Java, C<br />
and C++ programs. It provides APIs for ECI, EPI and ESI (SNA only) access.<br />
<strong>The</strong> result of our <strong>CICS</strong> TG install was the directory structure shown in Figure 9-2.<br />
/opt/ctg<br />
bin<br />
Installation directory<br />
executables<br />
resource ctgcfg resources<br />
classes Java class library<br />
deployable J2EE resource adapters<br />
docs documentation<br />
include API header files<br />
lib programming libraries<br />
msgs message files<br />
samples programming samples<br />
c C source<br />
cpp Java source<br />
include header files<br />
java Java source<br />
Figure 9-2 <strong>CICS</strong> TG on Linux directory structure<br />
server <strong>CICS</strong> programs source<br />
terminalservlet Terminal Servlet samples<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 219
9.2 Configuration<br />
<strong>The</strong> directory /opt/ctg/bin contains the following files, all of which can be browsed<br />
using the command more:<br />
CTGSAMP.INI Sample CTG.INI configuration file.<br />
ctgcfg Shell script to start <strong>CICS</strong> TG X-Windows graphical<br />
Configuration Tool.<br />
ctgstart Shell script to start the <strong>Gateway</strong> daemon.<br />
ctgikey Shell script to start the SSLight tool iKeyman.<br />
220 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> other files in the directory are executables and cannot be viewed.<br />
<strong>The</strong> /opt/ctg/classes directory contains the following Java class libraries of note:<br />
ctgclient.jar <strong>CICS</strong> TG Java class library.<br />
ctgserver.jar <strong>CICS</strong> TG classes for use by <strong>Gateway</strong> daemon.<br />
ctgsamples.jar <strong>CICS</strong> TG Java samples library.<br />
<strong>The</strong> contents of these can be listed with the command jar -tvf . <strong>The</strong><br />
ctgsamples.jar file contains compiled versions of all the non-J2EE samples. We<br />
found this useful for testing because we could execute the samples easily using<br />
just this JAR file and the <strong>CICS</strong> TG Java class library JAR contained in<br />
ctgclient.jar.<br />
In this section, we detail how we configured the software components on<br />
Windows 2000, Linux, and z/OS for this scenario.<br />
To listen for requests, we needed to enable the TCP protocol handler. We did this<br />
using the Configuration Tool. To run the Configuration Tool on Linux, we ran an<br />
X-Windows server on our Windows 2000 workstation, and specified the address<br />
of the X-Windows server in the DISPLAY environment variable on Linux. <strong>The</strong> IP<br />
address of our Windows 2000 machine was 9.1.39.10 in this case. We then ran<br />
the Configuration Tool, as shown in Example 9-9.<br />
Example 9-9 Setting Linux to use the Windows 2000 X-Server for the Configuration Tool<br />
root@vmlinux1:/opt/ctg/bin > export DISPLAY=9.1.39.10:0<br />
root@vmlinux1:/opt/ctg/bin > ctgcfg<br />
Tip: <strong>The</strong> Configuration Tool can also be used on Windows to create the<br />
configuration file. This is detailed in “Using Windows to configure the <strong>CICS</strong> TG<br />
on Linux” on page 222.
We clicked No on the TaskGuide? window that appeared.<br />
From the Configuration Tool main menu, we clicked the TCP protocol handler in<br />
the Java gateway tree, and then ticked the Enable protocol handler checkbox<br />
(Figure 9-3).<br />
Figure 9-3 <strong>CICS</strong> TG Linux, configuring the TCP handler<br />
This causes the <strong>CICS</strong> TG TCP protocol handler to start up when the <strong>Gateway</strong><br />
daemon starts, and listen for TCP requests on port 2006. It creates the lines<br />
shown in Example 9-10 in the CTG.INI file.<br />
Example 9-10 TCP protocol handler lines in CTG.INI<br />
protocol@tcp.handler=com.ibm.ctg.server.TCPHandler<br />
protocol@tcp.parameters=connecttimeout=2000;idletimeout=600000;pingfrequency=60<br />
000;port=2006;solinger=0;sotimeout=1000;<br />
We also needed to configure a connection from the Client daemon to our <strong>CICS</strong><br />
region SCSCPJA1 on z/OS. For this, we re-used the TCP/IP connection<br />
described in Chapter 5, “TCP/IP connections to <strong>CICS</strong>” on page 81. See<br />
Figure 9-4 on page 222 for the definitions used. This creates the lines shown in<br />
Example 9-11 on page 222 in the CTG.INI file.<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 221
222 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 9-4 <strong>CICS</strong> TG Linux, configuring the server definition<br />
Example 9-11 Server definition in CTG.INI<br />
SECTION SERVER = SCSCPJA1<br />
DESCRIPTION=<strong>CICS</strong>TS 2.2 AT SC66<br />
UPPERCASESECURITY=Y<br />
PROTOCOL=TCPIP<br />
NETNAME=wtsc66oe.itso.ibm.com<br />
PORT=8018<br />
CONNECTTIMEOUT=0<br />
TCPKEEPALIVE=Y<br />
ENDSECTION<br />
Using Windows to configure the <strong>CICS</strong> TG on Linux<br />
When configuring the <strong>CICS</strong> TG from Linux, we found the Configuration Tool was<br />
very slow due to poor network performance. We instead chose to run the<br />
Configuration Tool on Windows to define our configuration for the <strong>CICS</strong> TG on<br />
Linux. We did this as follows:<br />
1. We started the Configuration Tool on our Windows 2000 machine with a<br />
special parameter that caused it to configure for Linux, using the following<br />
command:<br />
ctgcfg -PLAT L390
2. We defined our configuration using the Configuration Tool on Windows and<br />
saved the CTG.INI file into the c:\ctg\bin directory. This can be seen in<br />
Figure 9-4 on page 222. Note that the Configuration Tool looks almost<br />
identical to the Linux version, except the location of the CTG.INI file is shown<br />
as being in the Windows directory C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong>\bin rather than the Linux directory /opt/ctg/bin.<br />
3. We uploaded the CTG.INI file from our Windows 2000 machine onto our<br />
Linux system into the /tmp directory. Example 9-12 shows the transcript of our<br />
FTP session. Note that we used ASCII mode for the transfer, since we wanted<br />
FTP to perform data conversion on the ASCII file.<br />
Example 9-12 Uploading the CTG.INI file<br />
C:\>cd \ctg\bin<br />
C:\ctg\bin>ftp vmlinux1.itso.ibm.com<br />
Connected to vmlinux1.itso.ibm.com.<br />
220 ProFTPD 1.2.2rc2 Server (powered by SuSE Linux) [vmlinux1.itso.ibm.com]<br />
User (vmlinux1.itso.ibm.com:(none)): itso<br />
331 Password required for itso.<br />
Password:<br />
230 User itso logged in.<br />
ftp> ascii<br />
200 Type set to A.<br />
ftp> cd /tmp<br />
250 CWD command successful.<br />
ftp> put CTG.INI<br />
200 PORT command successful.<br />
150 Opening ASCII mode data connection for CTG.INI.<br />
226 Transfer complete.<br />
ftp: 1067 bytes sent in 0.00Seconds 1067000.00Kbytes/sec.<br />
4. We moved the CTG.INI file on our Linux system from the /tmp directory to the<br />
/opt/ctg/bin directory using the following command at the Linux command<br />
prompt:<br />
mv /tmp/CTG.INI /opt/ctg/bin<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 223
9.3 Testing the configuration<br />
224 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: We found that <strong>CICS</strong> TG configuration files are generally portable<br />
between different UNIX platforms and between Windows and UNIX. However,<br />
the name of the Client daemon TCP/IP protocol driver is different on Windows<br />
and on UNIX. Using a Windows configuration file with a TCP/IP server<br />
connection defined on a UNIX platform results in error messages in the Client<br />
daemon log:<br />
[3251] CCL:CCL3247 Error loading DLL '/opt/ctg/bin/CCLWNTIP.a'<br />
(/opt/ctg/bin/CCLWNTIP.a: cannot open shared object file: No such file or<br />
directory, 0)<br />
[1149] POP:CCL3229E Cannot load protocol driver 'CCLWNTIP'<br />
Running the Configuration Tool with the -plat option, specifying the platform<br />
to configure for, avoids such problems.<br />
To test our configuration we used the <strong>CICS</strong> TG sample Java application EciB1.<br />
This is installed in the <strong>CICS</strong> TG samples directory, inside the java subdirectory.<br />
<strong>The</strong> sample’s Java class is defined to be in the Java package<br />
com.ibm.ctg.samples.eci, so the sample source file is stored under the following<br />
directory structure:<br />
com/ibm/ctg/samples/eci<br />
<strong>The</strong> full path to the EciB1 sample on our Linux system is:<br />
/opt/ctg/samples/java/com/ibm/ctg/samples/eci/EciB1.java<br />
and on our Windows system it is:<br />
C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\samples\java\com\ibm\ctg\samples\eci\EciB1.java<br />
<strong>The</strong> sample is also provided in a compiled form inside ctgsamples.jar.<br />
We used EciB1 from our Linux system to call the <strong>CICS</strong> program EC01. <strong>The</strong><br />
EciB1 application flows an ECI request to a connected <strong>CICS</strong> region through a<br />
specified <strong>CICS</strong> TG (Figure 9-5 on page 225) and invokes the transaction EC01.<br />
<strong>The</strong> <strong>CICS</strong> TG URL is specified as an input parameter, and the <strong>CICS</strong> region is<br />
entered at the interactive prompt. We then used EciB1 from a Window 2000<br />
workstation to call the same <strong>CICS</strong> program (Figure 9-6 on page 225).
After we installed and configured the software components as illustrated in<br />
Figure 9-6, we tested our configurations as follows:<br />
EciB1<br />
Linux<br />
ctgclient.jar <strong>CICS</strong> TG<br />
<strong>CICS</strong><br />
SCSCPJA1<br />
ECI request<br />
JNI TCP/IP<br />
Client<br />
Daemon<br />
via<br />
TCP/IP<br />
Figure 9-5 <strong>CICS</strong> TG Linux TCP, software configuration for Linux testing<br />
EciB1<br />
ctgsamples.jar<br />
vmlinux1.itso.ibm.com<br />
<strong>Gateway</strong><br />
Daemon<br />
Figure 9-6 <strong>CICS</strong> TG Linux, TCP software configuration for Windows testing<br />
1. We started the <strong>Gateway</strong> daemon on Linux using the ctgstart command, from<br />
the <strong>CICS</strong> TG bin directory, as shown in Example 9-13 on page 226. This<br />
caused the <strong>CICS</strong> TG to start listening on port 2006 for TCP requests.<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 225<br />
ECI<br />
z/OS<br />
EC01<br />
Program<br />
wtsc66oe.itso.ibm.com<br />
Windows 2000<br />
Linux<br />
z/OS<br />
ctgclient.jar <strong>CICS</strong> TG<br />
<strong>CICS</strong><br />
SCSCPJA1<br />
ctgsamples.jar<br />
ECI request<br />
<strong>Gateway</strong><br />
Daemon<br />
JNI TCP/IP<br />
Client<br />
Daemon<br />
vmlinux1.itso.ibm.com<br />
ECI<br />
via<br />
TCP/IP<br />
EC01<br />
Program<br />
wtsc66oe.itso.ibm.com
226 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2. We checked the <strong>CICS</strong> TG log (displayed when the <strong>CICS</strong> TG is started) for the<br />
message CCL6524I indicating the TCP protocol handler had started (see<br />
Example 9-13).<br />
Example 9-13 <strong>The</strong> <strong>CICS</strong> TG message log<br />
root@vmlinux1:/ > cd /opt/ctg/bin<br />
root@vmlinux1:/opt/ctg/bin > ctgstart<br />
07/01/02 : 14:58:44:819 : <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, Version 5.0.0 Pre-release,<br />
5724-D12. Build Level c000-20020621.<br />
07/01/02 : 14:58:44:830 : (C) Copyright <strong>IBM</strong> Corporation 1999, 2002. All rights<br />
reserved.<br />
07/01/02 : 14:58:44:953 : CCL8400I: Using ini file /opt/ctg/bin/CTG.INI.<br />
07/01/02 : 14:58:44:956 : CCL6577I: Java version is 1.3.1.<br />
07/01/02 : 14:58:44:959 : CCL6502I: Initial ConnectionManagers = 1, Maximum<br />
ConnectionManagers = 100,<br />
07/01/02 : 14:58:45:236 : CCL6502I: Initial Workers = 1, Maximum Workers = 100,<br />
tcp: Port = 2006<br />
07/01/02 : 14:58:45:237 : CCL6574I: Connection logging has been disabled.<br />
07/01/02 : 14:58:45:292 : CCL6505I: Successfully created the initial<br />
ConnectionManager and Worker threads.<br />
07/01/02 : 14:58:45:352 : CCL6524I: Successfully started handler for the tcp:<br />
protocol.<br />
3. We checked the state of the TCP/IP sockets on our Linux machine using the<br />
netstat -l -n command from a Linux command prompt. This showed us that<br />
the <strong>CICS</strong> TG was indeed listening on port 2006 for TCP requests (see<br />
Example 9-14).<br />
Example 9-14 Output from the netstat command<br />
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN<br />
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN<br />
4. Next we checked basic IP connectivity from our Windows 2000 workstation to<br />
our Linux system using the ping command from a Windows 2000 prompt (see<br />
Example 9-15), and from our Linux system to our z/OS system using the ping<br />
command from a Linux prompt (see Example 9-16 on page 227).<br />
Example 9-15 Output from the ping command on Windows<br />
C:\>ping vmlinux1.itso.ibm.com<br />
Pinging vmlinux1.itso.ibm.com [9.12.6.98] with 32 bytes of data:
Reply from 9.12.6.98: bytes=32 time=140ms TTL=243<br />
Reply from 9.12.6.98: bytes=32 time=120ms TTL=243<br />
Reply from 9.12.6.98: bytes=32 time=120ms TTL=243<br />
Reply from 9.12.6.98: bytes=32 time=110ms TTL=243<br />
Ping statistics for 9.12.6.98:<br />
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />
Approximate round trip times in milli-seconds:<br />
Minimum = 110ms, Maximum = 140ms, Average = 122ms<br />
Example 9-16 Output from the ping command on Linux<br />
root@vmlinux1:~ > ping wtsc66oe.itso.ibm.com<br />
PING wtsc66oe.itso.ibm.com (9.12.6.29): 56 data bytes<br />
64 bytes from 9.12.6.29: icmp_seq=0 ttl=64 time=1.715 ms<br />
64 bytes from 9.12.6.29: icmp_seq=1 ttl=64 time=1.106 ms<br />
64 bytes from 9.12.6.29: icmp_seq=2 ttl=64 time=1.519 ms<br />
64 bytes from 9.12.6.29: icmp_seq=3 ttl=64 time=1.276 ms<br />
--- wtsc66oe.itso.ibm.com ping statistics ---<br />
4 packets transmitted, 4 packets received, 0% packet loss<br />
round-trip min/avg/max = 1.106/1.404/1.715 ms<br />
5. We then checked that <strong>CICS</strong> was listening on the TCP/IP port configured in<br />
the Client daemon server connection using the ScanPort utility. See<br />
Chapter 5.4, “Problem determination” on page 90 for more details.<br />
6. We knew that everything was working, so we set the CLASSPATH on Linux to<br />
include ctgclient.jar and ctgsamples.jar using the following command:<br />
export CLASSPATH=/opt/ctg/classes/ctgclient.jar:/opt/ctg/<br />
classes/ctgsamples.jar<br />
7. We then ran the EciB1 Java application on our Linux system using the<br />
command in Example 9-17. This ran the compiled version of EciB1 inside<br />
ctgsamples.jar and connected to the <strong>CICS</strong> TG on our Linux system. We<br />
entered 1 at the prompt to select our <strong>CICS</strong> server. As shown, EC01 returned<br />
the time and date on our <strong>CICS</strong> server.<br />
Example 9-17 Output from EciB1<br />
root@vmlinux1:/ > java com.ibm.ctg.samples.eci.EciB1<br />
tcp://vmlinux1.itso.ibm.com<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> Basic ECI Sample 1<br />
-------------------------------------------<br />
Usage: java com.ibm.ctg.samples.eci.EciB1 [<strong>Gateway</strong> Url]<br />
[<strong>Gateway</strong> Port Number]<br />
[SSL Classname]<br />
[SSL Password]<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 227
228 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
To enable client tracing, run the sample with the following Java option:<br />
-Dgateway.T.trace=on<br />
<strong>The</strong> address of the <strong>Gateway</strong> has been set to tcp://vmlinux1.itso.ibm.com<br />
Port:2006<br />
<strong>CICS</strong> Servers Defined:<br />
1. SCSCPJA1 -SCSCPJA1 TCPIP<br />
Choose Server to connect to, or q to quit:<br />
1<br />
Program EC01 returned with data:-<br />
Hex: 30342f30362f30322031383a31313a30380<br />
ASCII text: 04/06/02 18:11:08<br />
Note: We used the TCP protocol to connect to the <strong>Gateway</strong> daemon on our<br />
Linux system. If we did not specify the address of the <strong>CICS</strong> TG to connect to,<br />
EciB1 would have used local mode and would still run the <strong>CICS</strong> program<br />
successfully. However, local mode does not use the <strong>Gateway</strong> daemon and<br />
would therefore not have tested the <strong>Gateway</strong> daemon we had running on<br />
Linux.<br />
8. Once connectivity from Linux was working, we then tested from a Windows<br />
2000 workstation. We set the CLASSPATH on Windows 2000 to include<br />
ctgclient.jar and ctgsamples.jar using the following command:<br />
set CLASSPATH=C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgclient.jar;c:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgsamples.jar;<br />
9. We then ran the EciB1 Java application on our Windows 2000 workstation<br />
using the following command:<br />
java com.ibm.ctg.samples.eci.EciB1 tcp://vmlinux1.itso.ibm.com<br />
This again ran the compiled version of EciB1 inside ctgsamples.jar and<br />
connected to the <strong>CICS</strong> TG on our Linux system. We entered 1 at the prompt<br />
to select our <strong>CICS</strong> server. <strong>The</strong> successful output of EciB1 was almost<br />
identical to that shown in Example 9-17 on page 227, apart from the date<br />
returned by EC01.
Compiling and using EciB1<br />
In the above test we used the compiled version of EciB1 inside the <strong>CICS</strong> TG<br />
samples JAR. In some cases we needed to alter EciB1 and run the modified<br />
version. To compile the EciB1 source file EciB1.java stored in the samples<br />
directory and then run it, we followed these steps from a Windows command<br />
prompt:<br />
1. We set the CLASSPATH to include the current directory and the <strong>CICS</strong> TG<br />
Java class library:<br />
set CLASSPATH=.;C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgclient.jar<br />
2. We changed directory into the java subdirectory in the <strong>CICS</strong> TG samples<br />
directory:<br />
cd c:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\samples\java<br />
3. We compiled the source file EciB1.java in the samples directory, which was<br />
stored under a directory hierarchy reflecting its Java package. We used the<br />
following command:<br />
javac com\ibm\ctg\samples\eci\EciB1.java<br />
4. We ran the copy of EciB1 we had just compiled in the samples directory:<br />
java com.ibm.ctg.samples.eci.EciB1 tcp://vmlinux1.itso.ibm.com<br />
<strong>The</strong> output of the session can be seen in Example 9-18.<br />
Example 9-18 Command session for compiling and running EciB1<br />
C:\>set CLASSPATH=.;c:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong>\classes\ctgclient.jar<br />
C:\>cd c:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\samples\java<br />
C:\ctg\samples\java>javac com\ibm\ctg\samples\eci\EciB1.java<br />
C:\ctg\samples\java>java com.ibm.ctg.samples.eci.EciB1<br />
tcp://vmlinux1.itso.ibm.com<br />
Note: We set the CLASSPATH to include the current directory (the .<br />
character) because, when we executed the command to run EciB1, the Java<br />
interpreter looked for the file com\ibm\ctg\samples\eci\EciB1.class relative to<br />
any directories in the classpath. Because the current directory was c:\Program<br />
Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>\samples\java when we ran the<br />
command, the Java interpreter was able to find this file and successfully<br />
execute our modified version of EciB1.<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 229
9.4 Problem determination<br />
9.4.1 Tips and utilities<br />
9.4.2 Tracing<br />
230 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
In this section, we document information we learned while configuring this<br />
scenario, and further information on problem determination and tracing.<br />
In this section, you will find useful commands and utilities for debugging<br />
problems with your configuration. You will also find additional information about<br />
topics discussed in this chapter.<br />
Saving the <strong>CICS</strong> TG messages<br />
If you wish to save the whole message log, issue the following commands to<br />
redirect the output to a log file:<br />
cd /opt/ctg/bin<br />
ctgstart >ctg.log 2>&1<br />
Note that you will now need to use another command prompt to view the log file,<br />
as follows:<br />
cat /opt/ctg/bin/ctg.log<br />
Alternatively you can save the message log while having it output to the screen<br />
using the tee utility as follows:<br />
cd /opt/ctg/bin<br />
ctgstart 2>&1 |tee ctg.log<br />
Error messages<br />
<strong>The</strong> Client daemon writes error messages to the file <strong>CICS</strong>CLI.LOG, located in<br />
the /var/cicscli/ directory. This file is created or written to only in error situations<br />
and can be viewed using any text editor. It is particularly useful as a first stop for<br />
determining if problems have occurred with a TCP connection to a <strong>CICS</strong> server.<br />
<strong>The</strong>re are three ways to trace the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>:<br />
► <strong>Gateway</strong> daemon tracing, with various levels of tracing available.<br />
► <strong>Gateway</strong> daemon Java Native Interface (JNI) trace.<br />
► Java client tracing, which can be used to trace the Java method calls made<br />
using the <strong>CICS</strong> TG Java classes in the Java client.
<strong>Gateway</strong> daemon trace<br />
<strong>Gateway</strong> daemon trace can be controlled at startup of the <strong>Gateway</strong> with the<br />
following startup options:<br />
-trace This enables extra tracing messages.<br />
-x This enables full debug tracing.<br />
-tfile= This option can be used in conjunction with both the<br />
-trace and -x options, and overrides the default location of<br />
ctg.trc file in the bin subdirectory.<br />
For example, to route messages and trace information to the default file ctg.trc in<br />
the <strong>CICS</strong> TG bin subdirectory, specify the following on the command line:<br />
cd /opt/ctg/bin<br />
ctgstart -trace -tfile<br />
<strong>Gateway</strong> daemon trace can also be configured via the CTG.INI file. <strong>The</strong><br />
Configuration Tool can be used to do this using Tools -> Trace Settings. <strong>The</strong><br />
trace settings window will open as shown in Figure 9-7. To enable tracing, select<br />
the <strong>Gateway</strong> checkbox, in the <strong>Gateway</strong> trace file section.<br />
Figure 9-7 Configuration Tool trace settings<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 231
232 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Dynamic trace<br />
<strong>Gateway</strong> daemon trace can also be controlled dynamically during the <strong>Gateway</strong><br />
daemon operation using the TCPAdmin protocol. This is a new function provided<br />
in the <strong>CICS</strong> TG <strong>V5</strong>.0. To enable the TCPAdmin protocol handler, select the<br />
Enable protocol handler check box for the TCPAdmin handler, as shown in<br />
Figure 9-8.<br />
Figure 9-8 Configuring the TCPAdmin protocol handler<br />
You can also set the authorized hosts that are allowed to control dynamic tracing<br />
by entering them in the Authorized Hosts field and clicking the Add button.<br />
To activate the TCPAdmin protocol handler, save your changes and restart the<br />
<strong>Gateway</strong> daemon. <strong>The</strong>n you can use the tcpadmin.jar file from any authorized<br />
host by simply changing directory to the classes subdirectory, and calling the<br />
ctgadmin.jar as shown:<br />
cd /opt/ctg/classes<br />
java -jar ctgadmin.jar -ctg=tcp:\\wtsc66oe.itso.ibm.com:2810 -a=qtrace<br />
For further details on how we used dynamic tracing see “Dynamic trace<br />
(gateway)” on page 174 in Chapter 7.
<strong>Gateway</strong> daemon JNI trace<br />
<strong>Gateway</strong> daemon JNI trace is controlled at startup of the <strong>Gateway</strong> with the Java<br />
system property gateway.T.setJINTFile=. This writes trace<br />
messages to the file specified in . Java system properties can be<br />
passed to the <strong>Gateway</strong> daemon using the -j switch on the ctgstart command.<br />
For example, to route JNI trace information to the ctgjni.trc file in the <strong>CICS</strong> TG bin<br />
subdirectory, specify the following on the command line:<br />
cd /opt/ctg/bin<br />
ctgstart -j-Dgateway.T.setJNITFile=ctgjni.trc<br />
Tip: You can also control JNI trace interactively using the TCPAdmin protocol<br />
handler, just as you can for <strong>Gateway</strong> daemon tracing.<br />
Java client tracing<br />
Java client tracing can be set from the command line when the application is<br />
invoked using the following Java directive:<br />
java -Dgateway.T=on<br />
or programmatically by adding the following statements to the Java application:<br />
com.ibm.ctg.client.T.setDebugOn(true);<br />
com.ibm.ctg.client.T.setTimingOn(true);<br />
Both of these traces go to the stderr output stream, so they should be redirected<br />
to a file in order to save the trace output.<br />
For applications using the local: <strong>CICS</strong> TG protocol, JNI tracing can be set from<br />
the command line when the application is invoked using the following Java<br />
directive:<br />
java -Dgateway.T.setJNITFile=<br />
This writes trace messages to the file specified in .<br />
Client daemon<br />
<strong>The</strong> <strong>CICS</strong> TG on Linux uses the services of the Client daemon to flow ECI and<br />
EPI requests to the connected <strong>CICS</strong> server. <strong>The</strong> Client daemon can be traced<br />
using the options specified in 5.4, “Problem determination” on page 90.<br />
Linux error messages code file<br />
Several messages in the Client daemon trace refer to return codes from<br />
functions in the C runtime library. We found the file /usr/include/asm/errno.h<br />
invaluable in determining what these codes mean. This file lists which message a<br />
Chapter 9. TCP connections to the <strong>Gateway</strong> daemon on Linux 233
234 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
return code corresponds to and a brief description of the cause for many system<br />
messages. For example, the entry in the Client daemon trace:<br />
[5883] DRV:CCL5898 TCP62: recv failed, TCP/IP Rc= 107<br />
shows that the socket function recv failed with return code 107. <strong>The</strong> definition for<br />
message 107 in errno.h is:<br />
#define ENOTCONN 107 /* Transport endpoint is not connected */<br />
This shows that a return code of 107 corresponds to the error ENOTCONN.<br />
<strong>The</strong> manual page for the function recv gives further information on when this<br />
error might occur. This page can be accessed using the following command from<br />
a Linux command prompt:<br />
man recv<br />
This uses the man command to display the Linux programmer’s manual pages for<br />
the item recv. For further uses of the man command, refer to the man manual<br />
pages, accessed using the command man man.
Part 4 <strong>WebSphere</strong><br />
scenarios<br />
Part 4<br />
In this section, we describe how we configured <strong>WebSphere</strong> Application Server<br />
V4 on Windows 2000 and z/OS to utilize the services of the <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> in order to communicate with a <strong>CICS</strong> <strong>Transaction</strong> Server region.<br />
We describe both how to deploy a servlet-based Web application that uses the<br />
ECIRequest class provided in the <strong>CICS</strong> TG base classes, and how to deploy a<br />
J2EE based application that uses an integrated servlet/EJB design in conjunction<br />
with the <strong>CICS</strong> TG ECI resource adapter.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 235
236 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
10<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong><br />
Application Server for z/OS<br />
In this chapter, we describe how we configured <strong>WebSphere</strong> Application Server<br />
V4.0.1 for z/OS and OS/390 to work together with the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
(<strong>CICS</strong> TG) <strong>V5</strong> for z/OS.<br />
For details on how we installed the <strong>CICS</strong> TG for z/OS, refer to Chapter 7, “TCP<br />
connections to the <strong>Gateway</strong> daemon on z/OS” on page 133. For details on how<br />
we configured the required EXCI connection to our <strong>CICS</strong> region from the <strong>CICS</strong><br />
TG, refer to 4.2, “EXCI connections” on page 67.<br />
© Copyright <strong>IBM</strong> Corp. 2002. All rights reserved. 237
10.1 Preparation<br />
238 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We needed to install <strong>WebSphere</strong> Application Server V4, <strong>CICS</strong> TG <strong>V5</strong>, and <strong>CICS</strong><br />
TS V2.2 on our z/OS system. In Figure 10-1, we show the components needed<br />
to support this configuration.<br />
Windows 2000<br />
Web browser<br />
IP network<br />
HTTP<br />
z/OS<br />
<strong>CICS</strong> TS<br />
EXCI<br />
<strong>CICS</strong> TG<br />
<strong>WebSphere</strong><br />
Application Server<br />
HTTP Transport<br />
Handler<br />
HTTP Server<br />
Figure 10-1 Software components: <strong>CICS</strong> TG and <strong>WebSphere</strong> for z/OS scenario
10.1.1 Software checklist<br />
For this configuration we used the levels of software shown in Table 10-1.<br />
Table 10-1 Software checklist: <strong>WebSphere</strong> for z/OS<br />
Windows 2000 client z/OS<br />
Internet Explorer V6.0.2600.0000 z/OS V1.2<br />
Windows 2000 Service Pack 2 <strong>WebSphere</strong> Application Server V4.0.1 at<br />
PTF level W401057 PTF, including<br />
including J2EE Connector function<br />
supplied by fix for APAR PQ55873<br />
<strong>IBM</strong> <strong>WebSphere</strong> Application Server for<br />
z/OS and OS/390 Administration and<br />
Operations V4.01.014<br />
Application Assembly Tool (AAT) for z/OS<br />
V4.00.029<br />
10.1.2 Definitions checklist<br />
<strong>The</strong> definitions we used to configure the scenario are listed in Table 10-2.<br />
Table 10-2 Definitions checklist: <strong>WebSphere</strong> for z/OS<br />
<strong>IBM</strong> HTTP Server for z/OS V3.5<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS <strong>V5</strong>.00<br />
<strong>IBM</strong> Java Development Kit V1.3.1<br />
<strong>WebSphere</strong> z/OS <strong>CICS</strong> TS Example<br />
hostname wtsc66oe.itso.ibm.com<br />
port 80 or 99<br />
APPLID SCSCPJA1 or SCSCPJA4<br />
<strong>WebSphere</strong> J2EE Server C10ASR2<br />
DFHJVPIPE variable NETNAME defined in <strong>CICS</strong><br />
CONNECTION definition<br />
WASCTG<br />
In addition, we also deployed our <strong>CICS</strong> COBOL application ECIPROG2 by<br />
compiling the source and placing the load module in a library in our <strong>CICS</strong><br />
region’s DFHRPL concatenation. We also enabled ASCII to EBCDIC data<br />
conversion by deploying a DFHCNV data conversion template in <strong>CICS</strong> for use by<br />
this program. Refer to Appendix A, “DFHCNV and <strong>CICS</strong> data conversion” on<br />
page 329 for more details. However, since our test applications (CTGTesterECI<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 239
240 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
and CTGTesterCCI) can also convert the input and output data to and from<br />
EBCDIC, defining a data conversion template is optional in this case.<br />
<strong>WebSphere</strong> configuration<br />
We configured our <strong>WebSphere</strong> environment to use two different HTTP protocol<br />
catchers, the HTTP Transport Handler function of the <strong>WebSphere</strong> J2EE Server<br />
and the <strong>IBM</strong> HTTP Server (see Figure 10-2 on page 241).This means we had<br />
two different processes listening on two different ports, but both of them could<br />
forward HTTP requests into the Web container in the J2EE Server to run our<br />
applications. You will probably need to only use one of the protocol catchers but<br />
we had both configured for test purposes. <strong>The</strong> primary differences between the<br />
two protocol catchers are as follows:<br />
► HTTP Transport Handler<br />
– Streamlined HTTP listener implemented as a function of the J2EE Server.<br />
– Does not currently support authentication either via HTTPS or via HTTP<br />
basic authentication.<br />
► HTTP Server<br />
– Uses the HTTP Server address space in conjunction with the <strong>WebSphere</strong><br />
plugin (as previously used in <strong>WebSphere</strong> Application Server V3.5).<br />
– Supports HTTP basic authentication, and HTTPS including client<br />
authentication.<br />
Note: Since HTTP basic authentication was not currently supported with the<br />
HTTP Transport Handler at the time of writing this redbook, we used the HTTP<br />
Server environment to demonstrate how to flow the security context from the<br />
client through to our <strong>CICS</strong> region (see 10.3.2, “HTTP Server and basic<br />
authentication testing” on page 274).<br />
However, subsequent to writing this book, basic authentication and HTTPS<br />
support (not including client authentication) was implemented by the J2EE<br />
Server in APAR PQ59911, and we advise you to use this function if you<br />
require Web client authentication.
HTTP<br />
Web browser<br />
TCP/IP<br />
Port:<br />
99<br />
Port:<br />
80<br />
HTTP<br />
HTTP<br />
Server<br />
<strong>WebSphere</strong><br />
Plugin<br />
Figure 10-2 <strong>WebSphere</strong> configuration in the z/OS environment<br />
In Figure 10-2, you can see in our configuration how HTTP requests to invoke<br />
Web applications can either be routed via port 99 and the HTTP Server or via<br />
Port 80 and the HTTP Transport Handler. However, in both cases the runtime<br />
environment is still the same.<br />
For further details on the different configurations possible, we recommend the<br />
document <strong>WebSphere</strong> Application Server V4.0 and V4.0.1 for z/OS and OS/390,<br />
Configuring Web Applications, available from:<br />
http://www.ibm.com/support/techdocs<br />
<strong>IBM</strong> HTTP Server <strong>WebSphere</strong> Application Server<br />
HTTP<br />
HTTP<br />
Transport<br />
Handler<br />
J2EE Server<br />
Web Container<br />
servlets<br />
EJB Container<br />
session<br />
beans<br />
Application structure<br />
We used the following two Web applications, which we developed using<br />
<strong>WebSphere</strong> Studio Application Developer Integration Edition:<br />
► A traditional servlet based application (CTGTesterECI), which uses only the<br />
<strong>CICS</strong> TG ECIRequest class to call a program in a connected <strong>CICS</strong> region.<br />
This runs in the Web container of <strong>WebSphere</strong> Application Server.<br />
► A more modern J2EE application (CTGTesterCCI), which uses a<br />
servlet/session bean design to call a program in a connected <strong>CICS</strong> region.<br />
This application can either run in a managed or unmanaged environment. If it<br />
runs in a managed environment, the ECI resource adapter (as supplied by the<br />
<strong>CICS</strong> TG) must be installed into the application server.<br />
For further details on how we developed these applications, refer to Appendix B,<br />
“Sample applications” on page 337.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 241
242 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
CTGTesterECI<br />
<strong>The</strong> CTGTesterECI enterprise application is a servlet-based Web application that<br />
calls the specified COMMAREA-based <strong>CICS</strong> program and displays the result of<br />
the returned COMMAREA (see Figure 10-3).<br />
Web browser<br />
HTML<br />
JSP<br />
<strong>WebSphere</strong><br />
Application Server<br />
Web container<br />
servlet<br />
CTGTesterECIServlet<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> TG<br />
Java<br />
classes<br />
z/OS<br />
Figure 10-3 Application architecture of CTGTesterECI, local mode<br />
<strong>CICS</strong> TS V2.2<br />
EC01<br />
(COBOL<br />
program)<br />
<strong>The</strong> flow of control through the enterprise application is as follows:<br />
► <strong>The</strong> JavaServer Page (JSP) index.jsp contains a form that starts the servlet<br />
CTGTesterECIServlet. Several parameters are sent to the servlet: the name<br />
of the <strong>CICS</strong> program to call, the encoding to use, and details of the <strong>Gateway</strong><br />
daemon, among others.<br />
► <strong>The</strong> servlet makes the call to <strong>CICS</strong> using the ECIRequest class from the <strong>CICS</strong><br />
TG base classes. Once the call has completed, the servlet forwards the<br />
results to one of three JSPs, depending on whether the request was<br />
successful, an error occurred, or an exception occurred.<br />
► <strong>The</strong> JSP formats and displays the results of the request.<br />
This sample enterprise application is supplied in the file CTGTesterECI.ear. To<br />
obtain this file, see Appendix C, “Additional material” on page 389.<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A
CTGTesterCCI<br />
<strong>The</strong> CTGTesterCCI enterprise application calls a <strong>CICS</strong> program using the <strong>CICS</strong><br />
ECI resource adapter and displays the result. Figure 10-4 illustrates the complete<br />
architecture of the enterprise application.<br />
Web browser<br />
HTML<br />
JSP<br />
<strong>WebSphere</strong><br />
Application Server<br />
Web container<br />
EJB container<br />
session bean<br />
CTGTesterCCI<br />
servlet<br />
CTGTesterCCIServlet<br />
<strong>CICS</strong> ECI<br />
resource<br />
adapter<br />
Figure 10-4 Application architecture of CTGTesterCCI, local mode<br />
CCI<br />
<strong>CICS</strong> TG<br />
z/OS<br />
<strong>CICS</strong> TS V2.2<br />
EC01<br />
(COBOL<br />
program)<br />
<strong>The</strong> flow of control through the enterprise application is as follows:<br />
► <strong>The</strong> JSP page index.jsp contains an HTML form that starts the servlet<br />
CTGTesterCCIServlet. Several parameters are sent to the servlet, including<br />
the name of the <strong>CICS</strong> program to call, the COMMAREA input and length, and<br />
the encoding to use.<br />
► <strong>The</strong> servlet passes these parameters on to the session bean, CTGTesterCCI.<br />
► <strong>The</strong> session bean makes the ECI call to <strong>CICS</strong> using the <strong>CICS</strong> ECI resource<br />
adapter, and returns the response back to the servlet.<br />
► <strong>The</strong> servlet forwards the results to one of two JSPs, depending on whether<br />
the request was successful or not.<br />
► <strong>The</strong> JSP formats and displays the results of the request.<br />
<strong>The</strong> servlet also allows use of an unmanaged connection, in which case several<br />
additional parameters, such as <strong>CICS</strong> server and user details, may be specified,<br />
since these are normally defined in the managed connection factory.<br />
This sample enterprise application is provided in the file CTGTesterCCI.ear. To<br />
obtain this file, see Appendix C, “Additional material” on page 389.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 243<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A
10.2 <strong>WebSphere</strong> configuration<br />
244 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
This redbook assumes you have a working <strong>WebSphere</strong> Application Server<br />
runtime environment. For more details on setting up such an environment, refer<br />
to the manual <strong>WebSphere</strong> Application Server V4.0.1 for z/OS and S/390,<br />
Installation and Customization, GA22-7834.<br />
An essential part of using <strong>WebSphere</strong> for z/OS is the System Management<br />
End-User Interface, which consists of the Operations and Administration<br />
applications. Figure 10-5 shows our Operations application. For further details on<br />
configuring and using these tools, refer to “Installing the System Management<br />
End-User Interface” on page 248.<br />
Figure 10-5 Operations application<br />
<strong>The</strong> top row lists all the configured servers; the bottom row with the status icon<br />
( ) lists the server instances. A server is a logical grouping of server instances,<br />
all server instances within a server having an identical structure.<br />
In our configuration (Figure 10-5) we had the following server instances<br />
configured and active:<br />
C1EMON01 Daemon server instance<br />
C1TFRP01 Interface Repository server instance<br />
C1MING01 Naming server instance<br />
C1OASR2A J2EE Server instance<br />
C1SMGT01 System Management server instance<br />
In addition to these server we also configured an LDAP server (C1OLDAP) and<br />
an HTTP Server (SCSWEBC6).
10.2.1 J2EE Server configuration files<br />
A J2EE Server instance utilizes several different configuration files. <strong>The</strong> key files<br />
are as follows:<br />
current.env Current environment variables<br />
jvm.properties JVM properties settings<br />
webcontainer.conf Web container configuration<br />
For our J2EE Server instance, these files were located in the directory:<br />
/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/WTSCPLX1/C1OASR2A/<br />
In Example 10-1 we show the content of our jvm.properties file for our J2EE<br />
Server instance. <strong>The</strong>se settings were created from the settings input using the<br />
Administration application. After changes are activated using the Administration<br />
application, the settings are written to the jvm.properties file.<br />
Example 10-1 jvm.properties for J2EE Server instance<br />
com.ibm.ws390.wc.config.filename=/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/<br />
WTSCPLX1/C1OASR2A/webcontainer.conf<br />
com.ibm.ws390.trace.settings=/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/WTSCPLX1/<br />
C1OASR2A/trace.dat<br />
com.ibm.ws390.server.classloadermode=1<br />
In Example 10-2, we show the content of our current.env file for our J2EE Server<br />
instance C1OASR2A. <strong>The</strong>se settings were created from the settings input using<br />
the Administration application. After changes are activated using the<br />
Administration application, the settings are written to the current.env file.<br />
Example 10-2 current.env for J2EE Server instance<br />
# ENVIRONMENT FILE FROM CONVERSATION 20.6. 10:24<br />
#----------------------------------------------<br />
CLASSPATH=/usr/lpp/<strong>WebSphere</strong>/lib/ws390srt.jar:/usr/lpp/<strong>WebSphere</strong>/lib/xerces.jar<br />
:/usr/lpp/<strong>WebSphere</strong>/lib/waswebc.jar:/usr/lpp/WebSphe re/lib/bboaxrt.jar:<br />
/usr/lpp/db2/db2710/classes/db2j2classes.zip:/usr/lpp/<strong>WebSphere</strong>/lib/<br />
waswebccp.jar:/usr/lpp/ctg500/ctg/deployable/cicseciRRS.jar:/usr/lpp/ctg500/ctg<br />
/deployable/cicsframe.jar:/usr/lpp/ctg500/ctg/deployable/ctgserver.jar:/usr/lpp<br />
/ctg500/ctg/deployable/ctgclient.jar:<br />
JVM_LOGFILE=/tmp/C1OASR2.jvm.log<br />
BBOC_HTTP_PORT=80<br />
BBOC_HTTP_LISTEN_IP_ADDRESS=9.12.6.29<br />
LIBPATH=/usr/lpp/db2/db2710/lib:/usr/lpp/java/<strong>IBM</strong>/J1.3/bin:/usr/lpp/java/<strong>IBM</strong>/<br />
J1.3/bin/classic:/usr/lpp/<strong>WebSphere</strong>/lib:/usr/lpp/ctg500/ctg/deployable<br />
MAX_SRS=5<br />
DFHJVPIPE=WASCTG<br />
TRACEBUFFLOC=SYSPRINT<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 245
246 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
BBOLANG=ENUS<br />
CBCONFIG=/<strong>WebSphere</strong>C1/CB390<br />
DAEMON_PORT=5555<br />
DAEMON_SSL_PORT=5556<br />
DATASHARING=1<br />
DM_GENERIC_SERVER_NAME=C1DAEMON<br />
DM_SPECIFIC_SERVER_NAME=C1EMON01<br />
ICU_DATA=/usr/lpp/<strong>WebSphere</strong>/bin<br />
IR_GENERIC_SERVER_NAME=C1INTFRP<br />
IR_SPECIFIC_SERVER_NAME=C1TFRP01<br />
IRPROC=C1OIR<br />
IVB_DRIVER_PATH=/usr/lpp/<strong>WebSphere</strong><br />
LDAPCONF=/<strong>WebSphere</strong>C1/CB390/WTSCPLX1/etc/ldap/SC66.bboslapd.conf<br />
LDAPIRCONF=/<strong>WebSphere</strong>C1/CB390/WTSCPLX1/etc/ldap/SC66.bboslapd.conf<br />
LDAPIRROOT=o=BOSS,c=US<br />
LDAPROOT=o=BOSS,c=US<br />
LOGSTREAMNAME=WAS.SC66.ERROR.LOG<br />
NM_GENERIC_SERVER_NAME=C1NAMING<br />
NM_SPECIFIC_SERVER_NAME=C1MING01<br />
NMPROC=C1ONM<br />
OTS_DEFAULT_TIMEOUT=300<br />
OTS_MAXIMUM_TIMEOUT=300<br />
RAS_MINORCODEDEFAULT=NODIAGNOSTICDATA<br />
RESOLVE_IPNAME=wtsc66oe.itso.ibm.com<br />
RESOLVE_PORT=900<br />
SM_DEFAULT_ADMIN=CBADMIN<br />
SM_GENERIC_SERVER_NAME=C1SYSMGT<br />
SM_SPECIFIC_SERVER_NAME=C1SMGT01<br />
SMPROC=C1OSMS<br />
SOMOOSQL=1<br />
SRVIPADDR=9.12.6.29<br />
SYS_DB2_SUB_SYSTEM_NAME=DB7E<br />
TRACEALL=1<br />
TRACEPARM=00<br />
DB2SQLJPROPERTIES=/<strong>WebSphere</strong>C1/CB390/db2sqljjdbc.properties<br />
DAEMON_IPNAME=wtsc66oe.itso.ibm.com<br />
CONFIGURED_SYSTEM=SC66
Tip: Environment variables can be set at different levels with <strong>WebSphere</strong><br />
Application Server. Since we had only one J2EE Server and one J2EE Server<br />
instance, this was of little concern in our configuration. However, in a more<br />
complex environment you should consider setting common environment<br />
variables at the highest level.<br />
In the case of the <strong>CICS</strong> TG, we suggest you set the CLASSPATH and<br />
LIBPATH at the J2EE Server level, and DFHJVPIPE and at the J2EE Server<br />
instance level. You should also note that there is no need to set<br />
CTG_RRMNAME when using the <strong>CICS</strong> TG with <strong>WebSphere</strong> for z/OS, since<br />
<strong>WebSphere</strong> performs the registration with MVS Resource Recovery Services<br />
(RRS).<br />
10.2.2 HTTP Server definitions<br />
We added the following statement to our HTTP Server configuration file<br />
/web/cics6/httpd.conf:<br />
Service /CTGTester*/*<br />
/usr/lpp/<strong>WebSphere</strong>/WebServerPlugIn/bin/was400plugin.so:service_exit<br />
This statement causes inbound HTTP requests starting with the string<br />
/CTGTesterECIWeb/* to be routed to the <strong>WebSphere</strong> plugin.<br />
10.2.3 System Management End-User Interface<br />
This section describes the steps you have to take to install and run the System<br />
Management End-User Interface on your workstation.<br />
Establish communication to the host<br />
<strong>The</strong> Administration and Operations applications both use TCP/IP to<br />
communicate between your workstation and the host. All IP names used to<br />
communicate with the host must be defined either to your DNS server or in your<br />
workstation hosts file. <strong>The</strong> host names that are required are as follows:<br />
► <strong>The</strong> bootstrap server IP name<br />
<strong>The</strong> name associated with the initial connection to the host. It is defined by<br />
the RESOLVE_IPNAME parameter of the z/OS sysplex environment file (as<br />
shown in Example 10-2 on page 245).<br />
► <strong>The</strong> naming server IP name<br />
A generic name associated with your naming server and defined by the<br />
DAEMON_IPNAME parameter of the z/OS sysplex environment file. If you<br />
have more than one name server (that is, a federated name space) you must<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 247
248 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
ensure that all the name servers’ host names needed by the workstation can<br />
be resolved.<br />
► <strong>The</strong> host name of each system in the sysplex in which <strong>WebSphere</strong> for z/OS<br />
runs.<br />
Installing the System Management End-User Interface<br />
After the Application Server is installed on z/OS, you can download the System<br />
Management End-User Interface via FTP as a binary file. <strong>The</strong> file bboninst.exe is<br />
supplied on the host in the path /usr/lpp/<strong>WebSphere</strong>/bin, which you should<br />
download to your workstation and use to install the tool.<br />
Defining workstation environment variables for login options<br />
<strong>The</strong> BBONPARM workstation environment variable is used to pre-assign various<br />
login options for the Administration and Operations applications. <strong>The</strong>se values<br />
may be overwritten when you start the Administration or Operations application.<br />
<strong>The</strong> login options are:<br />
bootstrapserver Names the default IP name for the naming<br />
server<br />
bootstrapport Names the port used to connect to the<br />
naming server<br />
loginuser Names the default user ID for the login<br />
loginpassword Names the default password for the login<br />
On our workstation, we did as follows to set the bootstrap server and user ID:<br />
1. Open the Windows control panel by clicking Start -> Settings -> Control<br />
Panel. <strong>The</strong>n select System -> Advanced -> Environment Variables -> User<br />
variables for cicsrs1, where cicsrs1 is your Windows user ID.<br />
2. Define a new variable BBONPARM<br />
3. Enter the value -bootstrapserver wtsc66oe.itso.ibm.com -loginuser<br />
CBADMIN -loginpassword XXXXXXX<br />
4. Click OK and OK to set the new variable.<br />
<strong>The</strong>se default values will now be used as the default in the login panel the next<br />
time the application is started. See Figure 10-6 on page 249.<br />
Starting the Administration or Operations application<br />
To start the Administration or Operations application from your workstation, do as<br />
follows:<br />
1. Select Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong> for z/OS -> Administration or<br />
Operations as required.
2. This will display the Login window as shown in Figure 10-6.<br />
3. Modify the values as appropriate and then click OK to log in.<br />
Figure 10-6 Login window<br />
This will now start either the Administration application (as shown in Figure 10-7)<br />
or Operations application (as shown in Figure 10-5 on page 244).<br />
Figure 10-7 Administration application<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 249
10.2.4 Installing the <strong>CICS</strong> ECI resource adapter<br />
This section describes the steps necessary to prepare for the use of the <strong>CICS</strong><br />
ECI resource adapter with <strong>WebSphere</strong> Application Server. It consists of the<br />
following steps:<br />
► <strong>CICS</strong> TG considerations<br />
► <strong>CICS</strong> TS considerations<br />
► Installation of the <strong>CICS</strong> ECI resource adapters<br />
<strong>CICS</strong> TG considerations<br />
Since the <strong>CICS</strong> ECI resource adapter uses the functions of the <strong>CICS</strong> TG to<br />
connect to <strong>CICS</strong>, you will need to ensure the <strong>CICS</strong> TG environment is fully<br />
working before it can be used by <strong>WebSphere</strong> for z/OS. However, you do not need<br />
to start the <strong>Gateway</strong> daemon, since <strong>WebSphere</strong> will use the <strong>CICS</strong> TG in local<br />
mode, whereby all the <strong>CICS</strong> TG Java classes are executed within the<br />
<strong>WebSphere</strong> address space. <strong>The</strong> key points to consider are as follows:<br />
► Mark UNIX System Services programs as program controlled with the<br />
extattr +p command.<br />
► Allow the <strong>CICS</strong> TG user ID read access to program controlled libraries.<br />
250 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Further details can be found in Chapter 7, “TCP connections to the <strong>Gateway</strong><br />
daemon on z/OS” on page 133.<br />
<strong>CICS</strong> TS considerations<br />
You need to perform the following tasks:<br />
► Configure an EXCI connection in <strong>CICS</strong><br />
► Set the RRMS, and IRCSTRT SIT parameters<br />
► Define the <strong>CICS</strong> EXCI library to your J2EE Server<br />
► Define RACF security profiles<br />
SIT parameters<br />
Since the <strong>CICS</strong> TG and <strong>WebSphere</strong> use EXCI for communications and MVS<br />
resource recovery services (RRS) for transactional support, you should enable<br />
support in <strong>CICS</strong> using the following SIT parameters:<br />
► RRMS=YES<br />
► IRCSTRT=YES<br />
► ISC=YES<br />
You will then need to restart your <strong>CICS</strong> region to put these parameters into effect.<br />
EXCI connections<br />
Because the <strong>CICS</strong> ECI resource adapter uses the function of the <strong>CICS</strong> TG to<br />
connect to <strong>CICS</strong>, you will need to configure an EXCI CONNECTION definition in
all the <strong>CICS</strong> regions with which your J2EE Server whishes to communicate. Full<br />
details on how to configure EXCI connections are supplied in Chapter 4, “EXCI<br />
connections to <strong>CICS</strong>” on page 65.<br />
<strong>The</strong> main choice you must make is to decide if you will use a generic or specific<br />
EXCI pipe to communicate with <strong>CICS</strong>. <strong>The</strong> default is to use a generic pipe (which<br />
is basically an unamed pipe). If you wish to use a specific pipe you must define<br />
the DFHJVPIPE environment variable in the J2EE Server instance that will be<br />
used for the <strong>CICS</strong> connector support. This value must match the NETNAME<br />
parameter of an installed EXCI CONNECTION definition in <strong>CICS</strong>.<br />
We recommend using specific EXCI pipes, as this provides for better monitoring<br />
and accounting within <strong>CICS</strong>. <strong>The</strong> same specific pipe can still be used by multiple<br />
J2EE Server instances, to connect to the same <strong>CICS</strong> region so this does not limit<br />
your ability to work with multiple J2EE Servers in a workload management<br />
environment.<br />
Defining the EXCI library to your J2EE Server<br />
<strong>The</strong> J2EE Server that will use the <strong>CICS</strong> ECI resource adapter needs to access<br />
and load the <strong>CICS</strong> module DFHXCSTB from the SDFHEXCI library supplied with<br />
<strong>CICS</strong>. This library will typically be called <strong>CICS</strong>TS13.<strong>CICS</strong>.SDFHEXCI or<br />
<strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI, depending on the <strong>CICS</strong> release and naming<br />
conventions you use.<br />
To enable this you will need to complete one of the following steps:<br />
► Add module DFHXCSTB to the LPA.<br />
► Add the SDFHEXCI library to either the system linklist concatenation, or to<br />
the STEPLIB concatenation of the J2EE Server.<br />
We added our SDFHEXCI data set <strong>CICS</strong>TS22.<strong>CICS</strong>.SDFHEXCI to the STEPLIB<br />
in the startup procedure of the J2EE Server instance.<br />
Surrogate security profiles<br />
As a user of the <strong>CICS</strong> TG and the EXCI, the J2EE Server will be subject to RACF<br />
surrogate security checking. If surrogate security checking is enabled in<br />
DFHXCOPT, the EXCI options table, the user ID of the EXCI job (in our case the<br />
user ID of the J2EE Server region) will require read access to the<br />
USERID.DFHEXCI SURROGAT class profile, where USERID is the user ID<br />
flowed in the EXCI request. This authorizes the J2EE Server user ID to act as a<br />
surrogate for the user ID specified by the clients that may invoke J2EE<br />
applications. We defined the following profile, as we wished to give a universal<br />
access of READ to all users (in effect disabling surrogate security) for testing<br />
purposes:<br />
RDEFINE SURROGAT *.DFHEXCI UACC(READ)OWNER (<strong>CICS</strong>RS1)<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 251
252 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
SETROPTS RACLIST(SURROGAT) REFRESH<br />
Installation of the <strong>CICS</strong> ECI resource adapter<br />
Resource adapters are packaged in Resource Adapter Archive (RAR) files,<br />
which like EAR files are archives made up of JAR files and a deployment<br />
descriptor. <strong>The</strong> <strong>CICS</strong> ECI resource adapter for z/OS is provided in the file<br />
cicseciRRS.rar in the deployable directory of the <strong>CICS</strong> TG installation.<br />
This cicseciRRS.rar resource adapter archive is designed exclusively for z/OS. It<br />
makes use of the two-phase commit capability of RRS to provide support for<br />
global transactions. All non-z/OS platforms use the cicseci.rar file instead.<br />
Unlike <strong>WebSphere</strong> Application Server Advanced Edition, <strong>WebSphere</strong> Application<br />
Server for z/OS does not work with RAR files directly, so you must extract the<br />
contents of the RAR file into a directory, and point the <strong>WebSphere</strong> classpath to<br />
each JAR file in this directory.<br />
To install the <strong>CICS</strong> ECI resource adapter, we entered the following commands<br />
under OMVS:<br />
► export PATH=/usr/lpp/java/<strong>IBM</strong>/J1.3/bin:$PATH<br />
This adds the bin directory of our Java1.3 installation to the PATH<br />
environment variable.<br />
► cd /usr/lpp/ctg500/ctg/deployable<br />
This changes directory to the location where the <strong>CICS</strong> TG supplies the<br />
cicseciRRS.rar file.<br />
► jar -xvf cicseciRRS.rar<br />
This extracts the following files, as shown in Example 10-3.<br />
Example 10-3 Extract of cicseciRRS.rar<br />
$ SC66¨ /usr/lpp/ctg500/ctg/deployable: jar -xvf cicseciRRS.rar<br />
created: META-INF/<br />
extracted: META-INF/MANIFEST.MF<br />
extracted: META-INF/ra.xml<br />
extracted: ccf2.jar<br />
extracted: ctgclient.jar<br />
extracted: ctgserver.jar<br />
extracted: cicseciRRS.jar<br />
extracted: cicsframe.jar<br />
extracted: libCTGJNI.so<br />
extracted: libCTGJNI_g.so<br />
We then used the following commands to add execute permissions for all users<br />
to the <strong>CICS</strong> TG JNI shared library (libCTGJNI.so):
chmod ugo+x libCTGJNI.so<br />
Defining connection information<br />
You are now ready to define connection information to the J2EE Server. We<br />
performed the following steps:<br />
1. Start the <strong>WebSphere</strong> Application Server for z/OS and OS/390 Administration<br />
application using the menu option: Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong><br />
for z/OS -> Administration.<br />
2. Log on to your server using its IP address, port, your user ID, and password.<br />
We used wtsc66oe.itso.ibm.com, port 900, and CBADMIN as our user ID, as<br />
shown in Figure 10-6 on page 249.<br />
3. Create a new conversation to add the <strong>CICS</strong> connector support. To do this,<br />
right-click Conversations and select Add.<br />
Tip: We suggest you use a date/time based convention for your<br />
conversation names, since we found you will need to define a new<br />
conversation every time you make a change to <strong>WebSphere</strong>. We used the<br />
format . , for example CTGTester 24.5<br />
15:45. You will also see this same conversation name at the top of your<br />
current.env file (which is the file <strong>WebSphere</strong> uses to store your current<br />
definitions) after this conversation is activated. With this method, you will<br />
then know when you made the changes for the active <strong>WebSphere</strong><br />
configuration.<br />
4. Enter the conversation name and then click Selected -> Save. Our new<br />
conversation 24.5 15:45 is shown in Figure 10-8.<br />
Figure 10-8 Entering the conversation name<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 253
254 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Important: You might also be tempted to modify the current.env file<br />
instead of using the Administration application for updating J2EE Server<br />
definitions, since this is a lot quicker than using the Administration<br />
application. If you do update current.env, the update will last only until the<br />
next conversation is activated and your change will not be input to the next<br />
conversation. However, this is still a very useful method for quickly making<br />
minor or temporary changes, such as settings trace parameters or<br />
modifying the CLASSPATH.<br />
5. Now turn on connection management in the sysplex. To do this, expand the<br />
tree down to the sysplex level (in our case, click 24.5 15:45 -> Sysplexes -><br />
WTSCPLX1). <strong>The</strong>n right-click the sysplex name and select Modify. In the<br />
Configuration Extensions section, check the box labeled Connection<br />
Management. Click Selected -> Save to save your changes.<br />
6. Next, expand the list of J2EE Servers and locate the J2EE Server that you<br />
wish to use with the <strong>CICS</strong> ECI resource adapter. Right-click the J2EE Server<br />
and select Modify. See Figure 10-9.<br />
Figure 10-9 Updating J2EE Server definitions<br />
7. Make the following changes in the environment variable list:
a. Add the following JAR files in the /usr/lpp/ctg500/ctg/deployable directory<br />
to the CLASSPATH. <strong>The</strong>se are the JAR files that you created earlier from<br />
the cicseciRRS.rar file:<br />
cicseciRRS.jar<br />
cicsframe.jar<br />
ctgserver.jar<br />
ctgclient.jar<br />
Figure 10-10 Updating CLASSPATH<br />
b. Add the connectors directory to the LIBPATH. Our directory was<br />
/usr/lpp/ctg500/ctg/deployable.<br />
8. Click Selected -> Save to save your changes.<br />
9. To define a <strong>CICS</strong> ECIConnectionFactory as a new J2EE resource perform the<br />
following:<br />
– Locate the J2EE Resources folder under your sysplex, right-click it and<br />
select Add.<br />
– In the properties window, enter the following:<br />
Set the J2EE resource name. We used SCSCPJA1.<br />
Set the J2EE resource type to <strong>CICS</strong>_ECIConnectionFactory.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 255
256 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 10-11 J2EE resource SCSCPJA1<br />
10.You can now create a J2EE resource instance that defines the connection<br />
information. To do this, perform the following:<br />
– Expand the J2EE resource you have just created. This displays a J2EE<br />
resource instances folder. Right-click it and select Add.<br />
– In the properties window, enter the following:<br />
Set the <strong>CICS</strong>_ECIConnectionFactory instance name. We used<br />
SCSCPJA1.<br />
Select the System name with which this J2EE resource instance is to<br />
be associated. We used SC66.<br />
Set the Server name to the APPLID of the <strong>CICS</strong> server you wish to call.<br />
We used SCSCPJA1.<br />
– Click Selected -> Save to save your changes. Look for the following<br />
message in the status bar to confirm the operation completed<br />
successfully:<br />
BBON0515I J2EE resource Instance [name ] was added..<br />
Tip: <strong>The</strong> Administration program also has a message log where you can<br />
check these messages. Click File -> Message log.
Figure 10-12 J2EE resource instance SCSCPJA1<br />
Note: We let the other fields in the <strong>CICS</strong> ECI connection factory default.<br />
However, you can set the user ID and password in the connection factory, but<br />
they will be used only if they are not provided by either the application or the<br />
container. You can also specify the TranName or TPNName, which can be<br />
used to modify the name of the <strong>CICS</strong> mirror transaction from the default,<br />
which will be CSMI.<br />
<strong>The</strong> J2EE Server region is now configured to use the <strong>CICS</strong> ECI resource<br />
adapter. We defined a resource adapter for both of our <strong>CICS</strong> regions<br />
(SCSCPJA1 and SCSCPJA4). To do this, you need to repeat steps 9 and 10 to<br />
build multiple resource adapters. Do not commit the conversation yet because<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 257
258 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
you still need to deploy an application to make use of this support. This is<br />
described in the next section.<br />
10.2.5 Deploying our sample enterprise applications<br />
EAR files generated in <strong>WebSphere</strong> Studio cannot be directly deployed to<br />
<strong>WebSphere</strong> Application Server for z/OS. You must use the Application Assembly<br />
Tool (AAT) for z/OS to generate an EAR file that <strong>WebSphere</strong> can use. Using the<br />
AAT for z/OS also gives you the opportunity to change some deployment<br />
information. We downloaded the AAT for z/OS from the following Web site:<br />
https://www6.software.ibm.com/dl/websphere20/zosos390-p<br />
In this section, we used our sample J2EE enterprise application CTGTesterCCI.<br />
<strong>The</strong> source code for this application is provided in the additional material for this<br />
book. See Appendix C, “Additional material” on page 389.<br />
Deploying the enterprise application<br />
1. Start the AAT for z/OS by clicking Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong> for<br />
z/OS -> Application Assembly. In the left pane, right-click Applications and<br />
select Import. Specify the location of the CTGTesterCCI.ear, and click OK.<br />
<strong>The</strong> file should import successfully.<br />
Next, you will probably receive a few pop-up windows warning about missing<br />
classes (as shown in Figure 10-13). <strong>The</strong> first one of these was for<br />
javax.resource.ResourceException, to which we answered Yes. We were<br />
then required to select the JAR file containing this class (connector.jar) to be<br />
added to our EAR file. This is because our application was designed to throw<br />
a ResourceException and so this class is needed to generate the deployment<br />
code. To all the other questions we replied No, because we wanted to have<br />
the classes taken from the <strong>WebSphere</strong> runtime environment, as otherwise we<br />
found that we could have class loader problems.<br />
Important: It is possible to circumvent these errors by adding the JARs to<br />
the variable USER_AAT_CLASSPATH.<br />
Figure 10-13 AAT file import
2. Under the applications folder, there should now be a CTGTesterCCI<br />
application. Fully expand it to show all the components contained within the<br />
application, as shown in Figure 10-14.<br />
Figure 10-14 AAT showing CTGTesterCCI application<br />
3. Click CTGTesterCCI -> Ejb Jars -> CTGTesterCCIEJB -> Session Beans<br />
-> CTGTesterCCI.<br />
From here you can set deployment descriptor information for the session<br />
bean. For the purposes of this test, we will let most things default or leave<br />
them to keep the same values as we set in <strong>WebSphere</strong> Studio. However, here<br />
you could change the attributes, if needed. We clicked <strong>Transaction</strong>s -><br />
<strong>Transaction</strong> attribute -> Required because we wanted to use the <strong>CICS</strong> TG<br />
two-phase commit support to join the <strong>CICS</strong> and <strong>WebSphere</strong> transactions. You<br />
can also modify the security parameters RunAs and ThreadID. We did not<br />
modify these parameters at this time, but for further details refer to “Security<br />
settings” on page 280.<br />
4. We now need to connect our Web application CTGTesterCCIWeb to our<br />
session bean. Our servlet is coded so that it will do a JNDI lookup for the<br />
bean using the EJB reference, but we have to give it the following information:<br />
– First select the Web application by clicking Applications -><br />
CTGTesterCCI -> Web Apps -> CTGTesterCCIWeb.<br />
– Click Selected -> Modify and then select the EJBs tab.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 259
260 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
– Select the Reference Name ejb/CTGTesterCCI then click Modify.<br />
– In the Link drop-down box, select CTGTesterCCI and then click OK. This<br />
screen is shown in Figure 10-15.<br />
– Last, save these changes by clicking Selected -> Save.<br />
Figure 10-15 EJB reference<br />
5. You are now ready to create the deployment code for CTGTesterCCI. Select<br />
the application (CTGTesterCCI) from the Applications node. <strong>The</strong>n from the<br />
menu bar select:<br />
a. Build -> Validate<br />
b. Build -> Deploy<br />
Click No to the prompts to add required classes. Look for the following<br />
message to confirm deployment has successfully completed:<br />
BBO94009I Application CTGTesterCCI was deployed.<br />
6. Finally, export the modified CTGTesterCCI application from the AAT for z/OS<br />
to your local machine. To do this:<br />
– Click the CTGTesterCCI application and select Export.<br />
– Enter a path to store the EAR file, and be sure that the <strong>WebSphere</strong> for<br />
z/OS Version 4.0 compatible option is checked.<br />
– Click OK.
– Look for the following message to confirm export has successfully<br />
completed:<br />
BBO94011I Application CTGTesterCCI was exported to EAR file<br />
C:\itscctgv5\CTGTesterCCI_Deployed.ear.<br />
Installing the J2EE application<br />
<strong>The</strong> final task is to take the EAR file generated in the AAT for z/OS, and deploy it<br />
to a J2EE Server in <strong>WebSphere</strong>. Complete the following steps:<br />
1. Return to the conversation you were previously editing in the System<br />
Management End-User Interface. Right-click the J2EE Server where you<br />
installed the <strong>CICS</strong> ECI resource adapter and select Install J2EE<br />
Application.<br />
2. In the EAR Filename field, enter the name of the EAR file you exported from<br />
the AAT for z/OS, then click OK.<br />
3. <strong>The</strong> Reference and Resource Resolution window will open, where you will<br />
need to set and resolve some references before the CTGTesterCCI enterprise<br />
application can be deployed.<br />
a. Expand the CTGTesterCCI EJB folder and highlight the CTGTesterCCI<br />
session bean. <strong>The</strong>re are several properties we need to set in here.<br />
Select the EJB tab. From here you can specify the full JNDI name to give<br />
the CTGTesterCCI session bean. You can set this value to whatever you<br />
want, since our Web application does not hard code the JNDI name of the<br />
session bean. We clicked Set Default JNDI Path & Name to use the<br />
defaults (Figure 10-16 on page 262).<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 261
262 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 10-16 CTGTesterCCI bean, EJB tab<br />
b. Next click the J2EE Resource tab. Here you associate the resource<br />
reference used by the session bean with an ECIConnectionFactory<br />
defined to the J2EE Server. Click in the blank J2EE resource field, and<br />
select the resource you created earlier. We selected SCSCPJA1. Your<br />
windows should now look as shown in Figure 10-17.<br />
Figure 10-17 CTGTesterCCI bean, J2EE Resource tab<br />
4. Now expand the CTGTesterCCIWeb_WebApp.jar folder and select the Web<br />
application CTGTesterCCIWeb_WebApp. Here you are required to provide a<br />
JNDI name for the Web application. This is used internally by <strong>WebSphere</strong>,
and does not affect our application, so we clicked Set Default JNDI Path &<br />
Name, which filled in the default values, shown in Figure 10-18.<br />
Figure 10-18 CTGTester Web application, EJB tab<br />
5. If you click the Reference tab, you will also see the resolved link to the<br />
session bean (Figure 10-19 on page 264). This is the information we created<br />
earlier using the AAT for z/OS, as shown in Figure 10-15 on page 260.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 263
264 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 10-19 CTGTester Web application, Reference tab<br />
6. All required references should have now been set, and the OK button will<br />
become active. Click OK to deploy the enterprise application. If the operation<br />
completes successfully, a message similar to the following will display:<br />
BBON0470I EAR file CTGTesterCCI_deployed_resolved.ear has been<br />
successfully installed on server C1OASR2.<br />
7. You are now ready to activate the conversation. Right-click the conversation<br />
name (CTGTester 24.6. 15:45) and complete the following steps in turn:<br />
► Click Validate<br />
► Click Commit and Yes to confirm<br />
► Click Complete -> All tasks, then click Yes to confirm<br />
► Click Activate, then Yes to confirm<br />
At this point, all of your definitions are moved to your J2EE Server and they are<br />
activated. You can restart your J2EE Server and start using your application.
Deploying CTGTesterECI<br />
<strong>The</strong> installation of our ECI-based servlet application CTGTesterECI is as follows.<br />
It is not explained in great detail because it is very similar to the CTGTesterCCI<br />
installation described previously.<br />
1. Start the AAT for z/OS (click Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong> for z/OS<br />
-> Application Assembly). In the left pane, right-click Applications and<br />
select Import. Specify the location of the CTGTesterECI.ear file.<br />
2. Right-click the CTGTesterECI under the Applications node and select<br />
Validate.<br />
3. Right-click the CTGTesterECI under the Applications node and choose<br />
Deploy. Click No to the prompts to add required items. Look for the following<br />
message to confirm deployment has successfully completed:<br />
BBO94009I Application CTGTesterECI was deployed.<br />
4. Right-click the CTGTesterCCI application and select Export. Look for the<br />
following message to confirm deployment has successfully completed:<br />
BBO94011I Application CTGTesterECI was exported to EAR file C:\Documents<br />
and Settings\resident\aat\CTGTesterECI.ear.<br />
System Management End-User Interface<br />
<strong>The</strong> final task is to take the EAR file generated in the AAT for z/OS, and deploy it<br />
to a J2EE Server in <strong>WebSphere</strong>. Complete the following steps:<br />
5. From the System Management End-User Interface (<strong>WebSphere</strong> Application<br />
Server for z/OS and OS/390 Administration), create a new conversation.<br />
Right-click Conversations and click Selected -> Add.<br />
6. Right-click the J2EE Server where you installed the <strong>CICS</strong> ECI resource<br />
adapter and CTGTesterCCI and select Install J2EE Application.<br />
7. In the EAR Filename field, enter the name of the EAR file you exported from<br />
the AAT for z/OS, then click OK.<br />
8. You are required to provide a JNDI name for the Web application. This is used<br />
internally by <strong>WebSphere</strong>, and does not affect our application, so click the Set<br />
Default JNDI Path & Name button and then click OK.<br />
9. You are now ready to activate the conversation. Right-click the conversation<br />
name (CTGTesterECI 27.6. 17:25) and complete the following steps in turn:<br />
► Click Validate<br />
► Click Commit and Yes to confirm<br />
► Click Complete -> All tasks, then click Yes to confirm<br />
► Click Activate, then Yes to confirm<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 265
10.3 Testing the configuration<br />
We tested both our J2EE EJB application (CTGTesterCCI) and our servlet-based<br />
Web application (CTGTesterECI) in our J2EE Server, using the following two<br />
topologies:<br />
► HTTP Transport Handler (port 80) -> J2EE Server<br />
► <strong>IBM</strong> HTTP Server (port 99) -> <strong>WebSphere</strong> Plugin -> J2EE Server<br />
266 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: This second topology was used to demonstrate how to authenticate<br />
the Web client and flow the security context onto <strong>CICS</strong>, since at the time of<br />
writing the HTTP Transport Handler did not support basic authentication.<br />
However, this support has now been made available with the PTF for APAR<br />
PQ59911, and we advise you to use this function if you require Web client<br />
authentication.<br />
For further details on these different topologies, refer to Figure 10-2 on page 241.<br />
How the HTTP request is matched to the definitions<br />
Before testing, it is good to have a general understanding of how the URL is<br />
matched to your definitions. If something goes wrong, you then have an idea of<br />
where to look.<br />
When using the <strong>IBM</strong> HTTP Server as the protocol catcher, the HTTP Server acts<br />
merely as a router for the HTTP request. <strong>The</strong> HTTP request is passed from the<br />
HTTP server into the <strong>WebSphere</strong> plugin and onto the Web container in the J2EE<br />
Server. <strong>The</strong>refore, the HTTP Server can be used as a proxy to the J2EE Server<br />
or to handle security.<br />
When using the HTTP Transport Handler in the J2EE Server, the HTTP request<br />
is received directly by the J2EE Server listening on the defined port, and the<br />
request is forwarded directly to the Web container in the J2EE Server.<br />
Using the HTTP Server<br />
<strong>The</strong> HTTP Server configuration is stored in the httpd.conf file. Within this file,<br />
there is one statement we are particularly interested in:<br />
Service /CTGTester*/*<br />
/usr/lpp/<strong>WebSphere</strong>/WebServerPlugIn/bin/was400plugin.so:service_exit<br />
<strong>The</strong> Service statement maps a request over to the <strong>WebSphere</strong> plugin<br />
environment. If the URL matches the given template (/CTGTester*/*), then the<br />
request is passed to the <strong>WebSphere</strong> plugin's executable module<br />
(was400plugin.so), which is defined in the second part of the URL, along with the<br />
entry point to be invoked in that module (service_exit).
Since there is no definition of our Web application (CTGTesterCCIWeb) in the<br />
<strong>WebSphere</strong> plugin configuration file (was.conf), then the HTTP request is<br />
automatically sent to the Web container in the J2EE Server, rather than<br />
executing in the <strong>WebSphere</strong> plugin within the HTTP Server address space.<br />
Once the request is mapped over to the J2EE Server, the Web container will<br />
search through all the virtual-host/context-root pairs in its configuration file<br />
(webcontainer.conf) to see if the request matches. If the URL received matches a<br />
virtual-host/context-root pair, then the Web container knows to proceed. If no<br />
match is found, then <strong>WebSphere</strong> will reject the URL. We had the following<br />
definitions in our webcontainer.conf:<br />
host.default_host.alias=wtsc66oe.itso.ibm.com:80,SC66:80,<br />
wtsc66oe.itso.ibm.com:99<br />
host.default_host.contextroots=/<br />
This then is how our Web application functions:<br />
1. <strong>The</strong> first request to our Web application using the URL<br />
http://wtsc66oe.itso.ibm.com:99/CTGTesterECIWeb/ is passed to the Web<br />
container in the J2EE Server.<br />
2. <strong>The</strong> URI CTGTesterECIWeb causes the default welcome page to be loaded,<br />
which is defined in the Web deployment descriptor (web.xml) to be the Java<br />
Server Page (JSP) index.jsp.<br />
3. This index.jsp contains an HTML form that is then used to invoke the servlet<br />
CTGTesterECIServlet.<br />
4. <strong>WebSphere</strong> next goes looking for an application whose defined<br />
servletmapping value matches that implied on the received URL. In this<br />
example, the servletmapping string on the URL is CTGTesterECIServlet, and<br />
it knows this because the servletmapping value is whatever comes after the<br />
context root value on the URL. <strong>WebSphere</strong> looks through the web.xml files<br />
contained in each Web application's WAR file looking for a tag<br />
that matches the servletmapping string on the URL. When it finds one, it<br />
takes the value and goes to the point in the web.xml file<br />
where is defined. This is the class file that is executed. In our<br />
web.xml (Example 10-4), the following servlet mapping was defined.<br />
Example 10-4 web.xml<br />
<br />
<br />
<br />
CTGTesterECIWeb<br />
<br />
CTGTesterECIServlet<br />
CTGTesterECIServlet<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 267
268 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
itso.cics.eci.testereci.CTGTesterECIServlet<br />
<br />
<br />
CTGTesterECIServlet<br />
CTGTesterECIServlet<br />
<br />
<br />
index.jsp<br />
<br />
<br />
BASIC<br />
w3<br />
<br />
<br />
Using the HTTP Transport Handler<br />
<strong>The</strong> processing of an HTTP request using the J2EE Server HTTP Transport<br />
Handler works in a very similar way to the <strong>IBM</strong> HTTP Server. However, since the<br />
request is received directly by the J2EE Server, no configuration of the HTTP<br />
Server is required. Thus the flow of control is as follows:<br />
1. <strong>The</strong> request to the Web application using the URL<br />
http://wtsc66oe.itso.ibm.com:80/CTGTesterECIWeb/ is received by the<br />
HTTP Transport Handler and passed to the Web container in the J2EE<br />
Server.<br />
2. <strong>The</strong> URI CTGTesterECIWeb causes the default welcome page to be loaded,<br />
which is defined in the Web deployment descriptor (web.xml) to be the Java<br />
Server Page (JSP) index.jsp.<br />
3. This index.jsp contains an HTML form that is then used to invoke the servlet<br />
CTGTesterECIServlet.<br />
4. <strong>WebSphere</strong> next goes looking for an application whose defined<br />
servletmapping value matches that implied on the received URL and the<br />
servlet functions, as described in item 4 on page 267.<br />
10.3.1 HTTP Transport Handler testing<br />
We tested both our J2EE application CTGTesterCCI and our servlet-based<br />
application CTGTesterECI with our non-secure <strong>CICS</strong> region SCSCPJA1.<br />
We deployed the applications as described in 10.2.5, “Deploying our sample<br />
enterprise applications” on page 258 and then used the following URLs to invoke<br />
the applications.<br />
► http://wtsc66oe.itso.ibm.com:80/CTGTesterECIWeb
► http://wtsc66oe.itso.ibm.com:80/CTGTesterCCIWeb<br />
Results with ECIRequest/servlet application<br />
<strong>The</strong> initial HTLML page when running our CTGTesterECI Web application is<br />
shown in Figure 10-20.<br />
Figure 10-20 CTGTesterECI welcome page<br />
We supplied the following input parameters:<br />
<strong>CICS</strong> program name ECIPROG2<br />
COMMAREA length 35<br />
Encoding <strong>IBM</strong>037<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 269
270 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Tip: We specified an Encoding of <strong>IBM</strong>037 (EBCDIC) since we wished to<br />
convert data within our servlet and not within <strong>CICS</strong>. If you wish to convert data<br />
within <strong>CICS</strong>, you will need to define a DFHCNV entry for each <strong>CICS</strong> program,<br />
and then you will need to specify ASCII on the HTML form. For further details<br />
on defining DFHCNV entries, refer to Appendix A, “DFHCNV and <strong>CICS</strong> data<br />
conversion” on page 329.<br />
We then clicked the Submit button. <strong>The</strong> results of our successful call to the <strong>CICS</strong><br />
program ECIPROG2 are shown in Figure 10-21. This displays the <strong>CICS</strong> APPLID,<br />
the date and time, and the user ID under which the request ran.
Figure 10-21 CTGTesterECI response page<br />
<strong>The</strong> response from our call to our CTGTesterECI Web application (Figure 10-21)<br />
illustrates that the Web application successfully called the program ECIPROG2<br />
in our <strong>CICS</strong> region SCSCPJA1. <strong>The</strong> COMMAREA output from ECIPROG2<br />
shows that the request ran under default <strong>CICS</strong> user ID <strong>CICS</strong>USER, since<br />
security was inactive in this <strong>CICS</strong> region.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 271
272 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
CTGTesterCCI results<br />
For our next test, we ran the J2EE application CTGTesterCCIWeb using the<br />
HTTP Transport Handler. <strong>The</strong> initial HTLML page is shown in Figure 10-22.<br />
Figure 10-22 CTGTesterCCI welcome page<br />
This time we are using a session bean in a managed environment to invoke our<br />
<strong>CICS</strong> region. Several of the options are now set on the managed connection<br />
factory, so it was necessary to modify the following parameters only:<br />
<strong>CICS</strong> program name ECIPROG2<br />
COMMAREA length 35<br />
Encoding <strong>IBM</strong>037
We clicked Submit and received the output HTML form shown in Figure 10-23.<br />
Figure 10-23 CTGTesterCCI response page<br />
<strong>The</strong> response from our call to our CTGTesterCCI Web application (Figure 10-23)<br />
illustrates that the Web application successfully called the program ECIPROG2<br />
in our <strong>CICS</strong> region SCSCPJA1, using our managed connection factory.<br />
<strong>The</strong> COMMAREA output from ECIPROG2 shows that the request ran under<br />
default <strong>CICS</strong> user ID <strong>CICS</strong>USER, since security was inactive in this <strong>CICS</strong> region.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 273
10.3.2 HTTP Server and basic authentication testing<br />
274 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Next, we decided to route our requests to port 99 on which our HTTP Server was<br />
listening. To enable the HTTP Server to forward requests to the <strong>WebSphere</strong><br />
plugin, we added the following service statement to httpd.conf:<br />
Service /CTGTester*/*<br />
/usr/lpp/<strong>WebSphere</strong>/WebServerPlugIn/bin/was400plugin.so:service_exit<br />
Since we did not have a matching rooturi in our <strong>WebSphere</strong> plugin configuration<br />
file (was.conf), the request was automatically routed over to the J2EE Server,<br />
where it was processed just like the previous requests handled by the HTTP<br />
Transport Handler.<br />
We also modified our httpd.conf file to turn on turn on HTTP basic authentication<br />
for our Web applications. This meant our Web applications were now protected<br />
and the HTTP Server would allow access only if a valid user ID and password<br />
were supplied. <strong>The</strong> statements we added are as follows:<br />
Protection CTGTesterWeb {<br />
ServerID CTGTester<br />
UserID %%CLIENT%%<br />
AuthType Basic<br />
PasswdFile %%SAF%%<br />
Mask All<br />
}<br />
Protect /CTGTester*/* CTGTesterWeb<br />
Results with ECIRequest/servlet application<br />
We invoked our servlet application, CTGTesterECI Web application, using the<br />
following URL:<br />
http://wtsc66oe.itso.ibm.com:99/CTGTesterECIweb<br />
This caused the basic authentication challenge window to be presented to the<br />
Web client, as shown in Figure 10-24.<br />
Figure 10-24 Basic authentication prompt
If you are running the HTTP Server with trace enabled, you will now see the<br />
output in Example 10-5 in the HTTP Server SYSOUT indicating the successful<br />
verification of the given user ID.<br />
Example 10-5 HTTP Server SYSOUT<br />
HTPasswd... user "<strong>CICS</strong>RS2" verified by SAF.<br />
Authentic User... <strong>CICS</strong>RS2<br />
Accepted.... by Mask (no ACL, only Protect)<br />
............................................<br />
APIClassExec Trying to match "/CTGTesterECIWeb/" with pattern<br />
"/CTGTesterECIWeb/*".<br />
APIClassExec using HTReqArgPath.<br />
Pattern..... match SUCCEEDED.<br />
Following the successful authentication of our user ID <strong>CICS</strong>RS2, we were<br />
presented with the CTGTesterECI welcome page shown in Figure 10-25.<br />
Figure 10-25 CTGTesterECI welcome page<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 275
We changed the following parameters:<br />
<strong>CICS</strong> program name ECIPROG2<br />
COMMAREA length 35<br />
Encoding <strong>IBM</strong>037<br />
<strong>CICS</strong> Server SCSCPJA4<br />
276 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We then clicked Submit, which caused the ECI request to be flowed to our <strong>CICS</strong><br />
region using the local <strong>CICS</strong> TG, and the successful results were displayed as<br />
shown in Figure 10-26.<br />
Figure 10-26 CTGTesterECI response page<br />
<strong>The</strong> output from ECIPROG2 shows that the request ran successfully in our<br />
secure <strong>CICS</strong> region SCSCPJA4, and ran under the user ID CBASRU2. This is<br />
the user ID of the J2EE Server, and not the client user ID authenticated by the<br />
HTTP Server.
Once the request had successfully executed in <strong>CICS</strong> we checked the <strong>CICS</strong><br />
MSGUSR log which shows useful information about the link user ID used.<br />
Example 10-6 <strong>CICS</strong> log MSGUSR<br />
DFHSN1400 07/10/2002 19:14:11 SCSCPJA4 Session signon for session WC1 by user<br />
CBASRU2 is complete.<br />
DFHSN1500 07/10/2002 19:14:11 SCSCPJA4 Session signoff for session WC1 is<br />
complete. 1 transactions entered with 0 errors.<br />
<strong>The</strong> link user ID is an additional level of security used for MRO and ISC requests.<br />
For EXCI or MRO requests, the link user ID defaults to the user ID under which<br />
the connected region runs. In our case, CBASRU2 is the user ID under which the<br />
J2EE Server started task runs. This user ID must have access to all the same<br />
resources as the flowed user ID (<strong>CICS</strong>RS2). To disable link security, it is possible<br />
to make the systems equivalent by setting the USERID parameter in the EXCI<br />
SESSIONS definition. For more details, refer to “Link security” on page 107.<br />
Note: Our tests showed that in <strong>WebSphere</strong> V4 the client user ID is no longer<br />
automatically propagated through to <strong>CICS</strong> when using the ECIRequest class<br />
from a servlet, as is the case with servlets that run in the <strong>WebSphere</strong> V3.5<br />
plugin. This is because in the <strong>WebSphere</strong> V4 J2EE Server the RACF ACEE of<br />
the thread is not switched to the user ID of the client. This behavior is not<br />
affected by modifying the ThreadID parameter in the EJB deployment<br />
descriptor (see “Security settings” on page 280) since this parameter affects<br />
only the EJB container and not the Web container, which is where servlets are<br />
executed.<br />
Thus if you require propagation of the user ID, we suggest you either use<br />
J2EE applications or modify your servlet code to extract the user ID from the<br />
HTTP basic authentication header, and copy it into the strUserid parameter in<br />
the ECIRequest object. Sample code to do this is provided in our<br />
CTGTesterECI application.<br />
Results with J2EE application<br />
To install our J2EE application, CTGTesterCCI, we first started a new<br />
conversation using the <strong>WebSphere</strong> for z/OS Administration application and<br />
defined a new <strong>CICS</strong> ECI resource adapter for our secure <strong>CICS</strong> region<br />
SCSCPJA4 (for further details refer to “Installation of the <strong>CICS</strong> ECI resource<br />
adapter” on page 252). We then deployed our J2EE application in order for it to<br />
use this new resource adapter. This process is explained in detail in “Installing<br />
the J2EE application” on page 261.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 277
278 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
When CTGTester was successfully re-installed, we entered the following URL<br />
and received the basic authentication security pop-up window (Figure 10-27).<br />
http://wtsc66oe.itso.ibm.com:99/CTGTesterCCIWeb<br />
Figure 10-27 Basic authentication prompt<br />
We entered our user ID (<strong>CICS</strong>RS2) and password and received the index.jsp file<br />
as shown in Figure 10-28.<br />
Figure 10-28 CTGTesterCCI welcome page
Since we are using a session bean in a managed environment, several of the<br />
options are now set on the managed connection factory, so it was necessary to<br />
modify only the following parameters:<br />
<strong>CICS</strong> program name ECIPROG2<br />
COMMAREA length 35<br />
Encoding <strong>IBM</strong>037<br />
We clicked Submit and received the output HTML form shown in Figure 10-29.<br />
Figure 10-29 CTGTesterCCI response page<br />
<strong>The</strong> output from ECIPROG2 shows that the request ran successfully in our<br />
secure <strong>CICS</strong> region SCSCPJA4, and this time ran under the flowed user ID<br />
<strong>CICS</strong>RS2. This is the client user ID authenticated by the HTTP Server using the<br />
%%CLIENT%% setting in the protection directive. <strong>The</strong> message DFHSN1400 in the<br />
<strong>CICS</strong> MSGUSER log also showed that the link user ID was again CBASRU2, the<br />
user ID of the J2EE Server region.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 279
Security settings<br />
In <strong>WebSphere</strong> V4 for z/OS, many different security settings can affect the user ID<br />
that is flowed to <strong>CICS</strong>. We performed further tests to investigate how the<br />
following parameters affected the flowed user ID and link user ID for both a<br />
servlet/ECI application and a J2EE/CCI application. Our results are summarized<br />
below:<br />
► %%CLIENT%%<br />
This is set in the HTTP Server Protection directive. It controls the user of<br />
basic authentication by the HTTP Server, and can be used together with the<br />
RunAS parameter in the EJB deployment descriptor to control the user ID<br />
flowed to <strong>CICS</strong>.<br />
► Surrogate<br />
This parameter is set in the WebAuth.UnauthenticatedUserSurrogate<br />
parameter in the J2EE Server webcontainer.conf file. It is used to specify the<br />
user ID for unauthenticated requests. We found that if this parameter is set, it<br />
will cause the client user ID set by the HTTP Server using basic<br />
authentication to not be used for an EXCI request to <strong>CICS</strong>.<br />
280 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Note: Our J2EE application used a managed Connection Factory. However,<br />
with a J2EE application it is also possible to create a non-managed<br />
application, which does not use the JNDI to look up a pre-defined Connection<br />
Factory. In this case the user ID flowed to <strong>CICS</strong> will be the J2EE Server’s user<br />
ID, and not the client user ID. <strong>The</strong> only way to automatically propagate the<br />
client security context in this case is to use the ThreadID parameter as<br />
discussed in the following text.<br />
Important: If you wish to use basic authentication with J2EE applications, it is<br />
recommended that you define security in the Web application's deployment<br />
descriptor, using the and settings.<br />
This will allow the Web container to authenticate your requests. <strong>The</strong> function<br />
for this is provided in APAR PQ59911 and PQ55181, and is not covered in this<br />
redbook. For further details, refer to the redbook z/OS <strong>WebSphere</strong> and J2EE<br />
Security Handbook, SG24-6846.<br />
► RunAS<br />
This parameter is set on the +RunAS tab in the EJB deployment descriptor<br />
and can be set for each of the methods in the home and remote interfaces of<br />
a session bean. It can have the value Caller, Server, or Role. We used the<br />
default value Caller, which means the user ID of the caller is propagated to
the J2EE resource (the ECI resource adapter). Using Server or Role would<br />
cause either the Server’s user ID or EJB role security to be used.<br />
► ThreadID<br />
This parameter is set on the EJB deployment descriptor in the +ThreadID tab<br />
by selecting Set OS Thread Identity to RunAS Identity for the methods in<br />
the home and remote interface. <strong>The</strong> default is for the value not to be set. It<br />
controls the operating system identity on the thread of execution and allows<br />
the security context of the thread to be switched to that of the caller itself. If<br />
set for a J2EE/EJB application using the ECI resource adapter, this will<br />
change the link user ID for the EXCI request to be the flowed user ID rather<br />
than the user ID of the J2EE Server.<br />
► Res-Auth<br />
This parameter controls whether the container or application component will<br />
determine the user ID. This defaults to container and this is what we used,<br />
since this will honor the settings for ThreadID and RunAS. If Res-Auth is set<br />
to application then the user ID and password are taken from the values<br />
specified in the getConnection() method.<br />
10.4 Problem determination<br />
In this section, we document useful information we learned while configuring this<br />
scenario and further information on problem determination and tracing.<br />
10.4.1 Tips and utilities<br />
In this section, you will find commands and utilities to use in debugging problems<br />
with your configuration. You will also find some additional information about<br />
topics discussed in this chapter.<br />
<strong>WebSphere</strong> logs<br />
<strong>WebSphere</strong> Application Server uses the MVS Logger to store its log data, and<br />
therefore for setup you need to define policies to the MVS Logger for this<br />
purpose. In order to access and read this log information, you need to have<br />
access to a sample CLIST called BBORBLOG, which is supplied on the<br />
SBBOEXEC data set, which can be run using the following command:<br />
EXEC 'BBO66.SBBOEXEC(BBORBLOG)' 'WAS.SC66.ERROR.LOG'<br />
Where WAS.SC66.ERROR.LOG is the name of the MVS Logger logstream definition<br />
containing the log data. A sample of the type of information you might find when<br />
you enter this command is shown in Example 10-7.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 281
10.4.2 Tracing<br />
282 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Example 10-7 Log data from MVS Logger<br />
2002/07/22 12:26:26.991 01 SYSTEM=SC66 SERVER=C1OASR2A JobName=C1OASR2S<br />
ASID=0X03FE PID=0X050E0061 TID=0X10E4E208 00000000 c=UNK ./bbolsys.cpp+882 ...<br />
BBOU0632E JVM EXIT API DRIVEN. JVM EXITING WITH CODE=<br />
2002/07/22 11:48:45.951 01 SYSTEM=SC66 SERVER=C1SMGT01 JobName=C1OSMSS<br />
ASID=0X03F2 PID=0X000E00A4 TID=0X10E26C80 00000000 c=UNK ./bbolsys.cpp+882 ...<br />
BBOU0632E JVM EXIT API DRIVEN. JVM EXITING WITH CODE=<br />
Common errors<br />
We found that if we included all the required JAR files as stated by the AAT for<br />
z/OS, this could lead to class loader problems. To avoid this problem, we did not<br />
import the stated classes, and instead specified them on the J2EE Server<br />
CLASSPATH setting.<br />
Useful commands<br />
For problem determination with your LDAP server, you will need a browser<br />
capable of browsing the JNDI name space. For details of the Softerra LDAP<br />
browser we used with our LDAP server, refer to Chapter 4, “Configuring the JNDI<br />
server” in the <strong>IBM</strong> redbook, Enterprise JavaBeans for z/OS and OS/390, <strong>CICS</strong><br />
<strong>Transaction</strong> Server V2.2, SG24-6284.<br />
Also for more advanced investigation of the JNDI name space when using an<br />
LDAP server, you can use the LDAP command-line utilities:<br />
► ldapsearch<br />
► ldapmodify<br />
► ldapadd<br />
► ldapdelete<br />
► ldapmoddrn<br />
Various levels of <strong>CICS</strong> TG tracing can be enabled from <strong>WebSphere</strong>. <strong>The</strong>y are as<br />
follows:<br />
► J2EE resource adapter trace<br />
► <strong>CICS</strong> TG Java client trace<br />
► <strong>CICS</strong> TG JNI trace
J2EE resource adapter trace<br />
Resource adapter tracing is used to control tracing of the flow of execution<br />
through the CCI classes. When using a non-managed connection factory, it is<br />
activated programmatically by invoking the setTraceLevel() method on the<br />
ECIManagedConectionFactory object. Our sample application CTGTesterCCI<br />
provides the option to activate J2EE resource adapter tracing in this way.<br />
When using a managed environment, J2EE resource adapter tracing is instead<br />
activated by using the Administration application as described in the following<br />
section.<br />
Using the Administration application, set the Trace Level property in the<br />
<strong>CICS</strong>_ECIConnectionFactory J2EE Resource to one of the following values:<br />
0 Disable all tracing<br />
1 Output exception trace stacks<br />
2 Output method entry and exit stack traces<br />
3 Output debug trace entries<br />
We set this value to 2 as shown in Figure 10-30 on page 283, and we also set the<br />
LogWriter Recording parameter to enable.<br />
Figure 10-30 Trace Level settings<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 283
284 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We then added the following to our J2EE Server jvm.properties file:<br />
com.ibm.ws390.trace.settings=/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/<br />
WTSCPLX1/C1OASR2A/trace.dat<br />
This line names a trace.dat file that we created in the same directory as the<br />
jvm.properties file. In the trace.dat file we added the following two statements:<br />
com.ibm.ws.classloader.*=all=enabled<br />
com.ibm.ws390.logwriter.*=all=enabled<br />
We then restarted our J2EE Server using the Operations application and trace<br />
was now active, in the J2EE Server, and written to the SYSPRINT of the J2EE<br />
Server. An example of the trace output is shown in Figure 10-8.<br />
Example 10-8 J2EE trace output<br />
Trace: 2002/07/22 18:24:05.074 01 t=7D20B8 c=8.2 key=P8 (13007002)<br />
FunctionName: com.ibm.ws390.logwriter.SCSCPJA4<br />
SourceId: com.ibm.ws390.logwriter.SCSCPJA4<br />
Category: DEBUG<br />
ExtendedMessage: 18:24:05:073 : Ý<strong>WebSphere</strong> t=007d20b8:2cf5c220¨ : --><br />
com.ibm.connector2.cics.ECIManagedConnectionFactory.cre<br />
onnectionFactory()<br />
parms=com.ibm.ws390.connmgmt.WS390AppServerConnectionManager@36286ca5<br />
Trace: 2002/07/22 18:24:05.074 01 t=7D20B8 c=8.2 key=P8 (13007002)<br />
FunctionName: com.ibm.ws390.logwriter.SCSCPJA4<br />
SourceId: com.ibm.ws390.logwriter.SCSCPJA4<br />
Category: DEBUG<br />
ExtendedMessage: 18:24:05:074 : Ý<strong>WebSphere</strong> t=007d20b8:37bbeca5¨ : --><br />
com.ibm.connector2.cics.ECIConnectionFactory.super() pa<br />
ConnectionManager=Ýcom.ibm.ws390.connmgmt.WS390AppServerConnectionManager@36286<br />
ca5¨ ManagedConnectionFactory=Ýcom.ibm.connector<br />
cs.ECIManagedConnectionFactory@2cf5c220 ConnectionURL="local:"<br />
ServerName="SCSCPJA4" PortNumber=2006 Userid="null"" TranName=nul<br />
NName=null¨<br />
Trace: 2002/07/22 18:24:05.075 01 t=7D20B8 c=8.2 key=P8 (13007002)<br />
FunctionName: com.ibm.ws390.logwriter.SCSCPJA4<br />
SourceId: com.ibm.ws390.logwriter.SCSCPJA4<br />
Category: DEBUG<br />
ExtendedMessage: 18:24:05:075 : Ý<strong>WebSphere</strong> t=007d20b8:37bbeca5¨ :
For further details on tracing J2EE resources in <strong>CICS</strong>, refer to Chapter 4 in<br />
<strong>WebSphere</strong> Application Server V4.0.1 for z/OS and OS/390, Messages and<br />
Diagnosis, GA22-7837.<br />
Java client trace<br />
<strong>CICS</strong> TG Java client tracing can be set programmatically within the servlet by<br />
adding the following statements to the Java application:<br />
com.ibm.ctg.client.T.setDebugOn(true);<br />
com.ibm.ctg.client.T.setTimingOn(true);<br />
In our CTGTesterECI Web application the Trace option on the index.jsp welcome<br />
page controls this tracing. Output from this trace will go to the SYSPRINT log of<br />
the J2EE Server, since this is what we set up for the TRACEBUFLOC, as shown<br />
on page 286.<br />
Note: Enabling <strong>CICS</strong> TG Java client tracing in an application will enable it for<br />
all applications running in the application server, as a consequence of the<br />
static nature of the T class.<br />
<strong>CICS</strong> TG JNI trace<br />
<strong>CICS</strong> TG JNI trace is output from the <strong>Gateway</strong> JNI module (libCTGJNI.so) that<br />
acts as the interface between the <strong>Gateway</strong> and the underlying native transport<br />
(EXCI). We found it to be a very useful means of problem determination.<br />
It is controlled with the Java system property gateway.T.setJNITFile. <strong>The</strong><br />
property value specifies the file name where the JNI trace is output. This must be<br />
set in the JVM properties file for the J2EE Server. To do this, we performed the<br />
following steps:<br />
1. Edited our J2EE Server instance’s jvm.properties file, located in the directory<br />
/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/WTSCPLX1/C1OASR2A.<br />
2. Added the following Java property:<br />
gateway.T.setJNITFile=/tmp/wasctgjni.trc<br />
3. Restarted our J2EE Server instance using the Operations application.<br />
You can see the output in our JNI trace file (/tmp/wasctgjni.trc) for a simple<br />
request to our CTGTesterCCI Web application in Example 10-9.<br />
Example 10-9 <strong>CICS</strong> TG JNI trace output from <strong>WebSphere</strong><br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> JNI Trace file for z/OS Version 5.0, Build Level<br />
c000-20020621<br />
20:13:59.451 [020e008c,10e616a0,WS007208 ] : CCL6813I CcicsInit: Running<br />
under Websphere z/OS.<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 285
286 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
20:13:59.451 [020e008c,10e616a0,WS007208 ] : CCL6880I Specific pipe used.<br />
NETNAME=<strong>WebSphere</strong> t=007d20b8<br />
20:13:59.622 [020e008c,10e616a0,WS007208 ] : CCL6800I ECI parameters on<br />
entry. Call_Type = 1, Extend_Mode = 0, Luw_Token = 0, C<br />
ommarea_Length = 35, Cics_Rc = 0, Flags = 2, outbound Commarea length = 2.<br />
20:13:59.622 [020e008c,10e616a0,WS007208 ] : CCL6801I CcicsECI: Performed<br />
parameter conversion. parameter name = jstrServer, pa<br />
rameter value = SCSCPJA4.<br />
20:13:59.623 [020e008c,10e616a0,WS007208 ] : CCL6801I CcicsECI: Performed<br />
parameter conversion. parameter name = jstrUserid, pa<br />
rameter value = CBASRU2 .<br />
20:13:59.623 [020e008c,10e616a0,WS007208 ] : CCL6801I CcicsECI: Performed<br />
parameter conversion. parameter name = jstrProgram, p<br />
arameter value = ECIPROG2.<br />
20:13:59.624 [020e008c,10e616a0,WS007208 ] : CCL6802I CcicsECI: Input<br />
commarea information. commarea length = 35, commarea addr<br />
ess = 1e7c2728.<br />
20:13:59.624 [020e008c,10e616a0,7208CCL6802IC : CCL6810I connopen: First<br />
request on TCB address = 7d20b8.<br />
20:13:59.628 [020e008c,10e616a0,WS007208 ] : CCL6804I CcicsECI: Returned<br />
commarea information. commarea length = 35, commarea a<br />
ddress = 1e7c2728, inbound commarea data length =35.<br />
20:13:59.629 [020e008c,10e616a0,WS007208 ] : CCL6805I ECI parameters on<br />
exit. Call_Type = 1, Extend_Mode = 0, Luw_Token = 0, Co<br />
mmarea_Length = 35, Cics_Rc = 0, AV = 2.<br />
Tip: New in <strong>CICS</strong> TG for z/OS <strong>V5</strong>.0 is the default logging of EXCI return<br />
codes. <strong>The</strong>se are written to unique files in the directory $HOME/ibm/ctgjnilog.*<br />
and should be checked before resorting to a <strong>CICS</strong> TG JNI trace.<br />
J2EE Server tracing<br />
To enable tracing in the <strong>WebSphere</strong> Application Server J2EE Server, you must<br />
place a new entry in the environment variable list for the appropriate J2EE<br />
Server. This can be done either from within <strong>WebSphere</strong> Application Server for<br />
z/OS administration console, or simply by editing the current.env file.<br />
Our current.env file was located in the following directory:<br />
/<strong>WebSphere</strong>C1/CB390/controlinfo/envfile/WTSCPLX1/C1OASR2A/current.env<br />
To activate JVM tracing, we added the following variables to this file:<br />
► JVM_LOGFILE=/tmp/WAS.jvm.log<br />
► JVM_DEBUG=1<br />
This caused JVM trace entries to be written out to the HFS file /tmp/WAS.jvm.log.
To activate J2EE Server tracing, we also added the following variables:<br />
► TRACEALL=1<br />
► TRACEBUFFLOC=SYSPRINT<br />
This causes level 1 trace entries to be written to the SYSPRINT of the J2EE<br />
Server.<br />
Note: Tracing in the J2EE Server takes effect as soon as the server is<br />
restarted. Since this means that the startup process itself will be traced, you<br />
will notice that startup will take a longer time to complete than normal.<br />
You may have noticed the operand we chose to open the variable list for input<br />
was JVM_LOGFILE. This operand indicates where output from the trace will be<br />
sent. <strong>The</strong> value we specified was /tmp/WAS.jvm.log. A sample view of the trace<br />
data sent to this file is shown in Example 10-10.<br />
Example 10-10 Sample output from JVM trace<br />
Opened /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar in 134 ms¨<br />
Opened /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/i18n.jar in 6 ms¨<br />
Loaded java.lang.NoClassDefFoundError from /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar¨<br />
Loaded java.lang.Class from /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar¨<br />
Loaded java.lang.Object from /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar¨<br />
Loading superclasses of java/lang/Object¨<br />
Loaded java.lang.Throwable from /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar¨<br />
Loading superclasses of java/lang/Throwable¨<br />
Loaded java.io.Serializable from /usr/lpp/java/<strong>IBM</strong>/J1.3/lib/rt.jar¨<br />
Loading superclasses of java/io/Serializable¨<br />
Preparing java/lang/Object¨<br />
Initializing java/lang/Object¨<br />
HTTP Server tracing<br />
If you are using the HTTP Server as the HTTP protocol catcher, trace can be<br />
activated by setting the -v or -vv parameters in the startup procedure. To activate<br />
trace in a running server, you can use the SDSF command:<br />
F SCSWEBC6,APPL=-VV<br />
Chapter 10. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for z/OS 287
288 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong><br />
Application Server for<br />
Windows<br />
11<br />
In this chapter, we describe how we configured <strong>WebSphere</strong> Application Server<br />
Advanced Edition (<strong>WebSphere</strong> AE) for Windows to use the <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> (<strong>CICS</strong> TG) Java classes to make External Call Interface (ECI) calls to<br />
our <strong>CICS</strong> <strong>Transaction</strong> Server (<strong>CICS</strong> TS) V2.2 region. See Figure 11-1 on<br />
page 290.<br />
We used two test applications; CTGTesterECI and CTGTesterCCI.<br />
CTGTesterECI uses a servlet and the <strong>CICS</strong> TG Java classes, CTGTesterCCI<br />
uses a session bean and the J2EE resource adapter. We first tested using local<br />
mode to connect directly to the Client daemon on the <strong>WebSphere</strong> machine, then<br />
we tested using remote mode to connect to a <strong>CICS</strong> TG on z/OS.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 289
11.1 Preparation<br />
Web browser<br />
290 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
IP network<br />
<strong>WebSphere</strong><br />
Application Server<br />
<strong>CICS</strong> TG<br />
connector<br />
classes<br />
TCP/IP<br />
IP network<br />
Figure 11-1 Software components: <strong>CICS</strong> TG and <strong>WebSphere</strong> for Windows scenario<br />
In the following sections, we detail how we configured <strong>WebSphere</strong> Application<br />
Server to work in conjunction with the <strong>CICS</strong> TG, and how we then tested our<br />
configuration using our sample applications, CTGTesterCCI and CTGTesterECI.<br />
For further details on how we developed these applications, refer to Appendix B,<br />
“Sample applications” on page 337.<br />
<strong>The</strong> CTGTesterECI enterprise application is a servlet-based ECI application that<br />
calls a <strong>CICS</strong> program and displays the results. Figure 11-2 illustrates the<br />
complete architecture of the application.<br />
Web browser<br />
HTML<br />
HTTP<br />
JSP<br />
Windows 2000<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong><br />
TCP/IP<br />
Figure 11-2 Application architecture of CTGTesterECI, local mode<br />
local:<br />
z/OS<br />
<strong>CICS</strong> TS<br />
(SCSCPJA1)<br />
TCP/IP<br />
volga.almaden.ibm.com wtsc66oe.itso.ibm.com<br />
<strong>WebSphere</strong> Application<br />
Server for Windows<br />
servlet<br />
CTGTesterECIServlet<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> TG<br />
Java<br />
classes<br />
local:<br />
<strong>CICS</strong> TS V2.2<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A<br />
z/OS<br />
EC01<br />
(COBOL<br />
program)
<strong>The</strong> flow of control through the enterprise application is as follows:<br />
► <strong>The</strong> JavaServer Page (JSP) index.jsp contains an HTML form that starts the<br />
servlet CTGTesterECIServlet. Several parameters are sent to the servlet: the<br />
name of the <strong>CICS</strong> program to call, the encoding to use, and details of the<br />
<strong>Gateway</strong> daemon, among others.<br />
► <strong>The</strong> servlet makes the call to <strong>CICS</strong> using the ECIRequest class in the <strong>CICS</strong><br />
TG Java class library. Once the call has completed, the servlet forwards the<br />
results to one of three JSPs, depending on whether the request was<br />
successful, an error occurred, or an exception occurred.<br />
► <strong>The</strong> JSP formats and displays the results of the request.<br />
This enterprise application is stored in the file CTGTesterECI.ear. To obtain this<br />
file, see Appendix C, “Additional material” on page 389.<br />
<strong>The</strong> CTGTesterCCI enterprise application calls a <strong>CICS</strong> program using the <strong>CICS</strong><br />
ECI resource adapter and displays the result. Figure 11-3 illustrates the complete<br />
architecture of the enterprise application.<br />
Web browser<br />
HTML<br />
JSP<br />
<strong>WebSphere</strong> Application<br />
Server for Windows<br />
servlet<br />
CTGTesterCCIServlet<br />
<strong>CICS</strong> TG<br />
session bean <strong>CICS</strong> ECI<br />
CTGTesterCCI CCI resource<br />
local:<br />
adapter<br />
Figure 11-3 Application architecture of CTGTesterCCI, local mode<br />
<strong>CICS</strong> TS V2.2<br />
EC01<br />
(COBOL<br />
program)<br />
<strong>The</strong> enterprise application consists of the following steps:<br />
► <strong>The</strong> JSP page index.jsp contains an HTML form that starts the servlet<br />
CTGTesterCCIServlet. Several parameters are sent to the servlet: the name<br />
of the <strong>CICS</strong> program to call, the COMMAREA input and length, and the<br />
encoding to use.<br />
► <strong>The</strong> servlet passes these parameters on to the CTGTesterCCI session bean.<br />
► <strong>The</strong> session bean makes the call to <strong>CICS</strong> using the <strong>CICS</strong> ECI resource<br />
adapter, and returns the response to the servlet.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 291<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A<br />
z/OS
292 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► <strong>The</strong> servlet forwards the results to one of two JSPs, depending on whether<br />
the request was successful or not.<br />
► <strong>The</strong> JSP formats and displays the results of the request.<br />
<strong>The</strong> servlet also allows the use of an unmanaged connection, in which case<br />
several additional parameters, such as <strong>CICS</strong> server and user details, may be<br />
specified.<br />
This enterprise application is stored in the file CTGTesterCCI.ear. To obtain this<br />
file, see Appendix C, “Additional material” on page 389.<br />
For details on how we configured the underlying connectivity to our <strong>CICS</strong><br />
<strong>Transaction</strong> Server region using the TCP/IP protocol, refer to Chapter 5, “TCP/IP<br />
connections to <strong>CICS</strong>” on page 81.<br />
11.1.1 Software checklist<br />
We used the levels of software described in Table 11-1.<br />
Table 11-1 Software checklist: <strong>WebSphere</strong> for Windows<br />
Windows workstation z/OS<br />
Windows 2000 Service Pack 2 z/OS V2.1<br />
<strong>IBM</strong> DB2® Universal Database<br />
Enterprise Edition 7.2.<br />
<strong>IBM</strong> HTTP Server V1.3.19 (included with<br />
<strong>WebSphere</strong> AE)<br />
<strong>WebSphere</strong> Application Server V4.03 for<br />
Windows - Advanced Edition<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for Windows<br />
<strong>V5</strong>.0<br />
Microsoft Internet Explorer V6.0.26<br />
<strong>CICS</strong> <strong>Transaction</strong> Server V2.2<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> for z/OS <strong>V5</strong>.0<br />
Note: We used <strong>WebSphere</strong> Application Server V4.03 Advanced Edition<br />
because it comes with support for J2EE Connector Architecture V1.0.<br />
<strong>WebSphere</strong> AE V4.01 does not, and requires the Connector Architecture for<br />
<strong>WebSphere</strong> Application Server (technology preview) to be installed on top of<br />
<strong>WebSphere</strong>. Additionally, the <strong>CICS</strong> TG recommends the use of <strong>WebSphere</strong><br />
V4.03 for considerably better J2EE performance than <strong>WebSphere</strong> V4.02.
11.1.2 Definitions checklist<br />
Before you configure the products, we recommend that you acquire definitions for<br />
the following parameters. <strong>The</strong> values shown in Table 11-2 are the definitions we<br />
used on our Windows workstation.<br />
Table 11-2 Definitions checklist: <strong>WebSphere</strong> for Windows<br />
Property Value<br />
<strong>IBM</strong> HTTP Server install directory C:\<strong>IBM</strong> HTTP Server<br />
<strong>WebSphere</strong> install directory C:\<strong>WebSphere</strong>\AppServer<br />
DB2 install directory C:\Program Files\SQLLIB<br />
<strong>CICS</strong> TG install directory C:\Program Files\<strong>IBM</strong>\<strong>IBM</strong> <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong><br />
Windows 2000 workstation hostname volga<br />
<strong>CICS</strong> Server name SCSCPJA1<br />
In addition we also had to deploy our <strong>CICS</strong> COBOL application EC01, and to<br />
configure a DFHCNV data conversion template in <strong>CICS</strong> for use by this program.<br />
Refer to Appendix A, “DFHCNV and <strong>CICS</strong> data conversion” on page 329 for<br />
more details.<br />
11.1.3 Installing <strong>WebSphere</strong> Application Server<br />
We first installed <strong>IBM</strong> DB2 7.2. We selected a typical install and took note of the<br />
DB2 password. We chose not to install the OLAP starter kit. Once DB2 was<br />
installed, we upgraded the JDBC level to V2.<br />
We then installed <strong>WebSphere</strong> Application Server using the supplied setup.exe<br />
application. During the installation we selected the Typical Installation. We<br />
supplied the DB2 password when asked. When the installation was completed,<br />
we rebooted the Windows 2000 machine.<br />
For further information and guidance concerning installing <strong>WebSphere</strong>, refer to<br />
the Redbook <strong>IBM</strong> <strong>WebSphere</strong> V4.0 Advanced Edition Handbook, SG24-6176.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 293
11.2 Configuration<br />
In this section, we discuss the configuration of our <strong>WebSphere</strong> Application<br />
Server on Windows 2000. We detail the following steps:<br />
► Starting the administrative console<br />
► Installing the <strong>CICS</strong> ECI resource adapter<br />
► Deploying the CTGTesterECI application<br />
► Deploying the CTGTesterCCI application<br />
294 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> CTGTesterCCI application makes use of the <strong>CICS</strong> ECI resource adapter, so<br />
it must be installed for CTGTesterCCI to work. CTGTesterECI does not need the<br />
<strong>CICS</strong> ECI resource adapter installed.<br />
11.2.1 Starting the administrative console<br />
Before starting the <strong>WebSphere</strong> administrative console, we started the Admin<br />
Server. This was done by selecting Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong> -><br />
Application Server V4.0 AE -> Start Admin Server, but we could have also<br />
started it using the <strong>IBM</strong> WS AdminServer 4.0 Windows service.<br />
Once the Admin Server has started, we started the <strong>WebSphere</strong> administrative<br />
console by selecting Start -> Programs -> <strong>IBM</strong> <strong>WebSphere</strong> -> Application<br />
Server V4.0 AE -> Administrator’s Console. A pop-up window was displayed<br />
stating that the console was loading, and then the window shown in Figure 11-4<br />
was displayed.<br />
Figure 11-4 <strong>WebSphere</strong> administrative console
Default resources<br />
We expanded the contents of the <strong>WebSphere</strong> Administrative Domain by<br />
selecting the square containing the plus sign. Expanding down through the<br />
topology we saw that all the default resources supplied with <strong>WebSphere</strong><br />
Application Server were available. This included the default application server<br />
instance Default Server and Web modules such as default_app and examples.<br />
11.2.2 Installing the <strong>CICS</strong> ECI resource adapter<br />
<strong>The</strong> <strong>CICS</strong> TG provides two <strong>CICS</strong> resource adapters: the ECI resource adapter<br />
and the EPI resource adapter. <strong>The</strong> ECI resource adapter is used by<br />
CTGTesterCCI. This section describes how to install one or both of these<br />
resource adapters into <strong>WebSphere</strong> Application Server.<br />
This section assumes that the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>.0 is already<br />
installed. Please follow these steps to install the <strong>CICS</strong> resource adapters:<br />
1. Open the <strong>WebSphere</strong> Advanced administrative console. Expand <strong>WebSphere</strong><br />
Administrative Domain -> Resources. Notice the J2C Resource Adapters<br />
folder (Figure 11-5). This is where the resource adapters are defined to the<br />
application server.<br />
Figure 11-5 Administrative console J2C resource adapters<br />
2. Resource adapters are installed into application servers by adding the<br />
contents of a Resource Adapter Module (represented by a file with an<br />
extension of rar) to the application server. This RAR file contains a collection<br />
of JAR files relating to the resource adapter, and a deployment descriptor<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 295
296 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
(ra.xml) that describes the deployment properties for the resource adapter.<br />
<strong>The</strong> <strong>CICS</strong> TG provides a RAR file for each <strong>CICS</strong> resource adapter. To install<br />
the <strong>CICS</strong> ECI resource adapter, follow these steps:<br />
a. Right-click J2C Resource Adapters and select New. This opens the J2C<br />
Resource Adapter Properties window.<br />
b. In the General tab, enter a name for the resource adapter in the Name<br />
field. Use <strong>CICS</strong> ECI.<br />
c. In the General tab, expand the Archive file name textbox.<br />
d. This opens the Install Driver window. Select the node you wish to install<br />
the resource adapter to by clicking the node name, then click the Browse<br />
button to select the RAR file to use.<br />
e. To install the ECI resource adapter, move to the subdirectory deployable<br />
under the <strong>CICS</strong> TG install directory and select cicseci.rar. Select Open to<br />
select this file, then select Install.<br />
f. <strong>The</strong> completed J2C Resource Adapter Properties window is shown in<br />
Figure 11-6. Select the Connections and Advanced tabs to view<br />
information about the resource adapter.<br />
g. Select OK to finish. If the resource adapter was installed correctly, a<br />
window will display saying Command “J2CResourceAdapter.create”<br />
completed successfully.<br />
Figure 11-6 J2C resource adapter properties<br />
3. If you wish to install the EPI resource adapter, repeat the above process,<br />
selecting cicsepi.rar as the archive file name.
Configure a connection factory<br />
Every resource adapter installed in <strong>WebSphere</strong> Application Server should have<br />
one or more connection factories associated with it. A connection factory<br />
contains deployment specific connection information. In the case of the <strong>CICS</strong><br />
resource adapters, this information includes:<br />
► <strong>The</strong> connection URL of the <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
► <strong>The</strong> <strong>CICS</strong> server to communicate with<br />
► <strong>The</strong> <strong>CICS</strong> program to call, or the <strong>CICS</strong> transaction to start<br />
► A user ID and password to flow to <strong>CICS</strong><br />
At least one connection factory is required to use the resource adapter in a<br />
managed environment. Setting up multiple connection factories allows you to<br />
configure a collection of possible connection options. When you deploy an<br />
enterprise bean into <strong>WebSphere</strong> Application Server, you must select which<br />
connection factory you wish to use.<br />
This section explains how to create and configure a connection factory for the<br />
<strong>CICS</strong> ECI resource adapter. This connection factory will be used in the next<br />
section to test the J2EE Connector Architecture support in the application server.<br />
► In order to open the Connection Factories window in the <strong>WebSphere</strong><br />
administrative console, take the following steps:<br />
a. Expand <strong>WebSphere</strong> Administrative Domain -> Resources -> J2C<br />
Resource Adapters. This will display the resource adapter you have<br />
installed.<br />
b. Expand the <strong>CICS</strong> ECI resource adapter, and select J2C Connection<br />
Factories. A list of all connection factories created for this resource<br />
adapter (if any) will be displayed in the right pane.<br />
► To create a new connection factory, take the following steps:<br />
a. Right-click J2C Connection Factories and select New. This will open the<br />
J2C Connection Factory Properties window.<br />
b. In the General tab enter the following:<br />
In the Name field, enter a name for the connection factory. Use<br />
SCSCPJA1 - local.<br />
Optionally, enter a path in the JNDI binding path field. We used<br />
eis/SCSCPJA1. If you leave this blank, a JNDI binding path will be<br />
created for you in the format of eis/.<br />
Notice the J2C Resource Adapter field is set to <strong>CICS</strong> ECI.<br />
– <strong>The</strong> Advanced tab allows you to set connection pooling information.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 297
298 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
– <strong>The</strong> Connections tab allows you to set connection-specific information. Set<br />
the following (Figure 11-7):<br />
ConnectionURL sets the connection URL of the <strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> to use. Use local: if you wish to use a local <strong>CICS</strong> TG.<br />
However, if you wish to connect to a remote <strong>Gateway</strong> daemon, specify<br />
the <strong>CICS</strong> TG URL here.<br />
ServerName sets the name of the <strong>CICS</strong> server to connect to. Use<br />
SCSCPJA1.<br />
If your <strong>CICS</strong> region requires security credentials, specify values for the<br />
UserName and Password parameters.<br />
Figure 11-7 J2C connection factory properties, connections definition<br />
– Click OK when finished. If the connection factory was installed correctly, a<br />
window will display saying Command “J2CConnectionFactory.create”<br />
completed successfully. This will publish a reference to the<br />
connection factory in the JNDI name space.<br />
► <strong>The</strong> newly created connection factory will be displayed in the right pane<br />
(Figure 11-8 on page 299).
Figure 11-8 Administrative console with the Connection Factory<br />
Note: To remove a connection factory definition, all enterprise applications<br />
that use it must first be stopped and removed. Also to remove the ECI<br />
resource adapter, all connection factory definitions must first be removed.<br />
11.2.3 Deploying our sample enterprise applications<br />
We deployed our sample enterprise applications, CTGTesterECI and<br />
CTGTesterCCI. You can obtain these samples with the additional material<br />
supplied with this book. For further details, refer to Appendix C, “Additional<br />
material” on page 389.<br />
Deploying the CTGTesterECI application<br />
To deploy our CTGTesterECI servlet we first copied the J2EE enterprise archive<br />
(EAR) file CTGTesterECI.ear onto our Windows 2000 machine into the directory<br />
c:\<strong>WebSphere</strong>\AppServer\installableApps. We then had to install the enterprise<br />
application in <strong>WebSphere</strong> using the administrative console.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 299
To install our enterprise application using the administrative console, perform the<br />
following steps:<br />
1. Select Console -> Wizards -> Install Enterprise Application.<br />
2. This opens the Install Enterprise Application Wizard window. Select Install<br />
Application (*.ear) then select Browse. Move to the directory where you put<br />
CTGTesterECI.ear, select this file, then select Open. <strong>The</strong> window will look like<br />
Figure 11-9.<br />
300 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-9 Installing CTGTesterECI into <strong>WebSphere</strong> Application Server<br />
3. You should use the default values specified in the EAR file to deploy this<br />
enterprise application. Click Next continually until the Selecting Virtual Hosts<br />
for Web Modules window appears (Figure 11-10 on page 301).
Figure 11-10 Selecting Virtual Hosts for Web Modules window for CTGTesterECI<br />
4. On the Selecting Virtual Hosts for Web Modules window, ensure that the<br />
Virtual Host is set to default_host, then click Next.<br />
5. Click Next past the Selecting Application Servers window.<br />
6. Click Finish at the Completing the Application Installation window. If the<br />
enterprise application was installed successfully, a window will display saying<br />
Command "EnterpriseApp.install" completed successfully.<br />
<strong>The</strong> enterprise application CTGTesterECI will be created. To view it in the<br />
administrative console, expand <strong>WebSphere</strong> Administrative Domain -><br />
Enterprise Applications. See Figure 11-11 on page 302.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 301
302 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-11 Viewing the installed enterprise application CTGTesterECI<br />
In order to use the CTGTesterECI application, the <strong>CICS</strong> TG Java class library<br />
(ctgclient.jar) needs to be added to the application server’s CLASSPATH.<br />
Additionally, ctgserver.jar is needed for local mode, since the <strong>CICS</strong> TG<br />
Java<strong>Gateway</strong> class must be instantiated within the Web application, as there is<br />
no <strong>Gateway</strong> daemon in use.<br />
1. From the <strong>WebSphere</strong> administrative console, expand <strong>WebSphere</strong><br />
Administrative Domain -> Nodes -> node name -> Application Servers.<br />
Click Default Server (Figure 11-12 on page 303).
Figure 11-12 Default server configuration<br />
2. Select the JVM Settings tab. On the Classpaths section of the tab, click Add<br />
and enter the absolute path to ctgclient.jar. Click Add again and enter the<br />
absolute path to ctgserver.jar. <strong>The</strong>se JARs are located in the <strong>CICS</strong> TG<br />
classes directory.<br />
3. Click Apply. <strong>The</strong> settings will be applied to the server configuration; see<br />
Figure 11-13.<br />
Figure 11-13 Adding <strong>CICS</strong> TG Java classes to the default server CLASSPATH<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 303
304 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
4. <strong>The</strong> Web server plugin must now be regenerated. From the administrative<br />
console, expand <strong>WebSphere</strong> Administrative Domain -> Nodes and<br />
right-click your node name. Select Regen Webserver plugin.<br />
5. Before running this enterprise application, restart the default application<br />
server. To do this, expand <strong>WebSphere</strong> Administrative Domain -> Nodes -><br />
node name -> Application Servers. Right-click Default Server. Stop the<br />
server if it is running, then right-click Default Server and select Start to<br />
restart the default server.<br />
Deploying the CTGTesterCCI application<br />
To deploy our CTGTesterCCI application, we first copied the J2EE enterprise<br />
archive (EAR) file CTGTesterCCI.ear onto our Windows 2000 machine into the<br />
directory c:\<strong>WebSphere</strong>\AppServer\installableApps. We then had to install the<br />
Enterprise Application in <strong>WebSphere</strong> using the administrative console.<br />
To install our enterprise application using the administrative console, perform the<br />
following steps:<br />
1. Select Console -> Wizards -> Install Enterprise Application.<br />
2. This opens the Install Enterprise Application Wizard window (Figure 11-14).<br />
Select Install Application (*.ear) then select Browse. Navigate to the<br />
directory containing CTGTesterCCI.ear, select this file, then select Open.<br />
Figure 11-14 Installing CTGTesterCCI into <strong>WebSphere</strong> Application Server
3. Click Next three times to display the Binding Enterprise Beans to JNDI<br />
Names window (Figure 11-15). This allows you to change the JNDI name<br />
under which the session bean is bound in the JNDI name space. <strong>The</strong> JNDI<br />
name will already be set to ejbs/CTGTesterCCI, as specified in the EAR file.<br />
Click Next to accept this value.<br />
Figure 11-15 Binding Enterprise Beans to JNDI Names window<br />
4. <strong>The</strong> Mapping EJB References to Enterprise Beans window is shown<br />
(Figure 11-16 on page 306). This allows you to change the JNDI name the<br />
servlet’s EJB reference is bound to. <strong>The</strong> JNDI name will already be set to<br />
ejbs/CTGTesterCCI, as specified in the EAR file. This matches the JNDI<br />
name of the session bean, seen in the previous window. Click Next to accept<br />
this value.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 305
306 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-16 Mapping EJB References to Enterprise Beans window<br />
5. <strong>The</strong> Mapping Resource References to Resources window is shown. Click<br />
Next. This will result in the error message shown in Figure 11-17.<br />
Figure 11-17 Invalid Resource Reference<br />
This error arises because the JNDI binding name eis/<strong>CICS</strong>A that is specified<br />
for the ECI resource reference in the EAR does not match the JNDI name of<br />
an existing connection factory resource in <strong>WebSphere</strong>, since at this point we<br />
specify a JNDI name of a resource that does exist. We suggest that you use<br />
the connection factory that was configured previously with the JNDI name<br />
eis/SCSCPJA1. To do this, click OK and follow the remaining instructions.
6. Click the Select Resource button, and choose the name of the connection<br />
factory resource that you want to use. <strong>The</strong> name of the resource in<br />
<strong>WebSphere</strong>, rather than its JNDI name, is displayed. Choose the SCSCPJA1<br />
- local resource that was previously created. Click OK to show the completed<br />
window (Figure 11-18) and click Next.<br />
Figure 11-18 Using previously created connection factory<br />
7. Click Next twice. On the Selecting Virtual Hosts for Web Modules window<br />
ensure that the Virtual Host is set to default_host, then click Next.<br />
8. Click Next past the Selecting Application Servers window.<br />
9. Click Finish at the Completing the Application Installation window. When<br />
prompted whether to regenerate the application code for installation, choose<br />
No. If the enterprise application was installed successfully, a window will<br />
display saying Command "EnterpriseApp.install" completed successfully.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 307
308 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> enterprise application CTGTesterCCI is now created. To view it in the<br />
administrative console, expand <strong>WebSphere</strong> Administrative Domain -><br />
Enterprise Applications. See Figure 11-19.<br />
Figure 11-19 Viewing the installed enterprise application CTGTesterCCI<br />
10.<strong>The</strong> Web server plugin must now be regenerated. From the administrative<br />
console, expand <strong>WebSphere</strong> Administrative Domain -> Nodes and<br />
right-click your node name. Select Regen Webserver plugin.<br />
11.Before running this enterprise application, restart the default application<br />
server. To do this, expand <strong>WebSphere</strong> Administrative Domain -> Nodes -><br />
node name -> Application Servers. Right-click Default Server. Stop the<br />
server if it is running, then select Start to restart the default server.
11.3 Testing the configuration<br />
11.3.1 Local testing<br />
Web browser<br />
After we installed and configured the software components we tested our<br />
<strong>WebSphere</strong> for Windows configuration in two scenarios using a local <strong>CICS</strong> TG,<br />
and one scenario using a remote <strong>CICS</strong> TG.<br />
We tested two scenarios using the local: protocol. <strong>The</strong> local: protocol bypasses<br />
the <strong>Gateway</strong> daemon and instead causes the application to invoke the native<br />
Client daemon libraries using the Java Native Interface (JNI) directly.<br />
Result with ECIRequest/servlet application<br />
First we used our ECIRequest-based servlet application, CTGTesterECI, to call<br />
the <strong>CICS</strong> program EC01, using a local <strong>CICS</strong> TG (Figure 11-20).<br />
<strong>IBM</strong><br />
HTTP<br />
Server<br />
Windows<br />
<strong>WebSphere</strong> AE<br />
CTGTesterECI<br />
<strong>CICS</strong> TG<br />
Java classes<br />
local:<br />
<strong>CICS</strong> TG<br />
Client<br />
daemon<br />
TCP/IP<br />
Figure 11-20 <strong>WebSphere</strong> with CTGTesterECI using local <strong>CICS</strong> TG<br />
TCP/IP<br />
z/OS<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
Server region<br />
SCSCPJA1<br />
EC01<br />
volga wtsc66oe.itso.ibm.com<br />
To verify this configuration, we performed the following tasks:<br />
1. We started the <strong>IBM</strong> HTTP Server by clicking Start -> Programs -> <strong>IBM</strong> HTTP<br />
Server -> Start HTTP Server.<br />
2. We opened our Web browser and loaded the welcome page of the <strong>IBM</strong> HTTP<br />
Server using the URL http://volga. This allowed us to verify that the HTTP<br />
server was correctly serving Web pages.<br />
3. We started the Client daemon TCP/IP connection to the <strong>CICS</strong> <strong>Transaction</strong><br />
Server region using the Windows command <strong>CICS</strong>CLI -S=SCSCPJA1.<br />
To verify the status of the Client daemon connection, we used the command<br />
<strong>CICS</strong>CLI -L, the output of which is shown in Example 11-1 on page 310.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 309
310 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Example 11-1 Viewing the status of the Client daemon connection<br />
C:\><strong>CICS</strong>CLI -L<br />
CCL8001I <strong>CICS</strong>CLI - <strong>CICS</strong> Client Control Program<br />
CCL0002I (C) Copyright <strong>IBM</strong> Corporation 1994,2001. All rights reserved.<br />
CCL8041I <strong>The</strong> <strong>CICS</strong> Client is using the following servers:<br />
CCL8042I Server 'SCSCPJA1' (using 'TCPIP' to 'wtsc66oe.itso.ibm.com') is<br />
available<br />
For more details on configuring the TCP/IP protocol with the <strong>CICS</strong> TG, refer<br />
to Chapter 5, “TCP/IP connections to <strong>CICS</strong>” on page 81.<br />
4. To start our <strong>WebSphere</strong> Application Server, we selected Start -> Programs<br />
-> <strong>IBM</strong> <strong>WebSphere</strong> -> Application Server V4.0 AE -> Start Admin Server.<br />
We also started the administrative console to allow us to view the status of the<br />
resources in our <strong>WebSphere</strong> domain. We started this using the path Start -><br />
Programs -> <strong>IBM</strong> <strong>WebSphere</strong> -> Application Server V4.0 AE -><br />
Administrator’s Console.<br />
<strong>The</strong> default server in our <strong>WebSphere</strong> administrative domain was started, as<br />
indicated by the green disk beside the server instance.<br />
5. To determine if the CTGTesterECI application was running, from the<br />
administrative console we expanded <strong>WebSphere</strong> Administrative Domain -><br />
Enterprise Applications and right-clicked the CTGTesterECI node. We<br />
selected Show Status from the pop-up menu. <strong>The</strong> resulting pop-up window<br />
showed that the CTGTesterECI Web application was running on the default<br />
server (Figure 11-21).<br />
Figure 11-21 Status window showing the CTGTesterECI application running<br />
Note: Each individual application can be started by right-clicking their node<br />
and selecting Start from the pop-up menu. <strong>The</strong> default server can also be<br />
restarted by stopping and starting it. Starting a server will also start all<br />
applications that run inside it.<br />
6. We opened our Web browser and loaded the welcome page of the<br />
CTGTesterECI application using the URL http://volga/CTGTesterECIWeb/.<br />
This displayed the page shown in Figure 11-22 on page 311. <strong>The</strong> default
parameters were set up to cause the CTGTesterECI servlet to make a ECI<br />
call to EC01 on our <strong>CICS</strong> region SCSCPJA1, using the local: protocol.<br />
Figure 11-22 CTGTesterECI enterprise application welcome page<br />
7. We clicked the Submit button. This used the ECIRequest Java classes to call<br />
the EC01 <strong>CICS</strong> program. <strong>The</strong> successful response was shown in the Web<br />
browser. See Figure 11-23 on page 312.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 311
312 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-23 CTGTesterECI enterprise application response<br />
For more details on how the CTGTesterECI application functions, refer to<br />
Appendix B, “Sample applications” on page 337. For instructions on how to<br />
obtain the sample code for CTGTesterECI, refer to Appendix C, “Additional<br />
material” on page 389.
Results with J2EE application<br />
Next we used our J2EE application, CTGTesterCCI, to call the <strong>CICS</strong> program<br />
EC01, using the <strong>CICS</strong> TG ECI resource adapter and the connection factory we<br />
set up previously. This used a local <strong>CICS</strong> TG (Figure 11-24).<br />
Web browser<br />
<strong>IBM</strong><br />
HTTP<br />
Server<br />
Windows<br />
<strong>WebSphere</strong> AE<br />
CTGTesterCCI<br />
ECI<br />
resource<br />
adapter<br />
local:<br />
<strong>CICS</strong> TG<br />
Client<br />
daemon<br />
TCP/IP<br />
TCP/IP<br />
Figure 11-24 <strong>WebSphere</strong> with CTGTesterCCI using local <strong>CICS</strong> TG<br />
z/OS<br />
<strong>CICS</strong> <strong>Transaction</strong><br />
Server region<br />
SCSCPJA1<br />
To verify this configuration we performed the following steps:<br />
1. We verified that the <strong>IBM</strong> HTTP Server was running using the steps detailed in<br />
the previous section.<br />
2. We verified that the <strong>WebSphere</strong> default server was running and that our<br />
application CTGTesterCCI was running using the steps detailed in the<br />
previous section.<br />
3. We opened our Web browser and loaded the welcome page of the<br />
CTGTesterCCI application using the URL http://volga/CTGTesterCCIWeb/.<br />
This displayed the page shown in Figure 11-25 on page 314. <strong>The</strong> default<br />
parameters were set up to cause the CTGTesterCCI application to make an<br />
ECI call to EC01 on a <strong>CICS</strong> region, using the ECI resource adapter. <strong>The</strong> ECI<br />
resource adapter was configured to use the local: protocol and the server<br />
SCSCPJA1, defined in “Configure a connection factory” on page 297.<br />
EC01<br />
volga wtsc66oe.itso.ibm.com<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 313
314 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-25 CTGTesterCCI enterprise application welcome page<br />
4. We clicked the Submit button. This used the <strong>CICS</strong> TG resource adapter to<br />
call the EC01 <strong>CICS</strong> program. <strong>The</strong> successful response was shown in the Web<br />
browser. See Figure 11-26 on page 315.
Figure 11-26 CTGTesterCCI enterprise application response<br />
For more details on how the CTGTesterCCI application functions, refer to<br />
Appendix B, “Sample applications” on page 337.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 315
11.3.2 Remote testing<br />
316 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
We next tested a remote scenario using the tcp: protocol to connect to a remote<br />
<strong>Gateway</strong> daemon running on z/OS. <strong>The</strong> tcp: protocol is used to make a socket<br />
connection from the Windows machine to the <strong>Gateway</strong> daemon, which then<br />
forwards the request onto a connected <strong>CICS</strong> region using the EXCI.<br />
Results with J2EE application<br />
We used our J2EE application, CTGTesterCCI, to call the <strong>CICS</strong> program EC01,<br />
using the <strong>CICS</strong> TG SCSCG5 on our z/OS system (Figure 11-27).<br />
Web browser<br />
<strong>IBM</strong><br />
HTTP<br />
Server<br />
Windows<br />
<strong>WebSphere</strong> AE<br />
CTGTesterCCI<br />
ECI<br />
resource<br />
adapter<br />
volga.almaden.ibm.com<br />
<strong>CICS</strong> TG<br />
TCP <strong>Gateway</strong><br />
EXCI<br />
daemon<br />
SCSCTG5<br />
Figure 11-27 <strong>WebSphere</strong> with CTGTesterCCI using remote <strong>CICS</strong> TG<br />
z/OS<br />
<strong>CICS</strong> TS region<br />
SCSCPJA1<br />
To configure CTGTesterCCI to use a remote <strong>CICS</strong> TG, we configured a new<br />
connection factory, following the steps in “Configure a connection factory” on<br />
page 297. We specified the following settings:<br />
Name SCSCPJA1 - scsctg5<br />
JNDI binding path SCSCPJA1-scsctg5<br />
ConnectionURL tcp://wtsc66oe.itso.ibm.com<br />
ServerName SCSCPJA1<br />
PortNumber 2006<br />
We then configured the CTGTesterCCI enterprise application to use this<br />
connection factory instead of SCSCPJA1 - local. We performed the following<br />
steps:<br />
1. In the administrative console, we expanded <strong>WebSphere</strong> Administrative<br />
Domain -> Enterprise Applications -> CTGTesterCCI. We clicked EJB<br />
Modules under CTGTesterCCI. We clicked the Resource Reference tab<br />
(Figure 11-28 on page 317).<br />
EC01<br />
wtsc66oe.itso.ibm.com
Figure 11-28 CTGTesterCCI resource references<br />
2. We selected the ECI resource reference. We clicked the Select Resource<br />
button. This caused the Select Resource pop-up window to appear. From this<br />
window, we changed the resource in the drop-down list to SCSCPJA1-scsctg5<br />
(Figure 11-29). We then clicked OK.<br />
Figure 11-29 Drop-down list<br />
3. In the Resource Reference window, we clicked the Apply button.<br />
4. <strong>The</strong> CTGTesterCCI enterprise application had to be restarted to use the new<br />
connection factory. We right-clicked the CTGTesterCCI node under<br />
Enterprise Applications and selected Stop. Once CTGTesterCCI had<br />
stopped, we right-clicked the CTGTesterCCI node again and selected Start.<br />
We then retested CTGTesterCCI following the steps in “Results with J2EE<br />
application” on page 316. <strong>The</strong> results were similar to those shown in<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 317
318 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-26 on page 315, because the resource adapter hides details of the<br />
<strong>CICS</strong> server and <strong>CICS</strong> TG protocol it uses.<br />
11.4 Problem determination<br />
In this section, we document useful information we learned while configuring this<br />
scenario and further information on problem determination and tracing.<br />
11.4.1 Tips and utilities<br />
Important: We found that if no transactional attribute is specified on a session<br />
bean deployed into <strong>WebSphere</strong> AE, then the <strong>WebSphere</strong> still makes the bean<br />
transactional by default. If this bean makes a call to the <strong>CICS</strong> TG resource<br />
adapter, this will be run under an extended LUW. If used with a remote <strong>CICS</strong><br />
TG on z/OS, the <strong>CICS</strong> TG must be configured with transactional EXCI support<br />
enabled; otherwise a simple request would fail with the error CTG9631E. For<br />
further details about enabling transactional EXCI, refer to page 152 in<br />
Chapter 7.<br />
In this section, you will find commands and utilities for debugging problems with<br />
your configuration. You will also find some additional information about topics<br />
discussed in this chapter.<br />
Serious events<br />
<strong>The</strong> Event Viewer is shown in the bottom part of the <strong>WebSphere</strong> administrative<br />
console (see Figure 11-30). This Viewer displays records of the last several<br />
serious events to occur since the administrative server was started, as well as<br />
warning and audit messages.<br />
Figure 11-30 Event Viewer window on the administrative console<br />
Use the Options window to specify Event Viewer properties, such as how many<br />
event records to keep at one time and how often to update the messages on the<br />
administrative console with data from the administrative server. <strong>The</strong> Log Limit<br />
property specifies how many serious event records to keep. <strong>The</strong>y are stored in<br />
the administrative database. If the administrative database is getting too full, set<br />
the Log Limit to the minimum value that is reasonable for your environment.
<strong>WebSphere</strong> logs<br />
Log files provide information about administrative and application servers as they<br />
initialize and run. After an error or problem condition occurs, logs can be<br />
reviewed for clues as to what happened. <strong>The</strong> logs provided by <strong>WebSphere</strong><br />
include stderr, stdout, wasdb2, and wssetup logs and are located in the<br />
\<strong>WebSphere</strong>\AppServer\logs directory.<br />
► Stderr and stdout logs<br />
<strong>The</strong>se capture events presented through two of the three standard I/O<br />
streams. Stdin are the arguments entered with a command or program.<br />
Stdout is the output displayed to the user. Stderr are the errors thrown by the<br />
code.<br />
<strong>The</strong> stdout and stderr logs contain application server communication, for<br />
application servers and the admin server, providing error and informational<br />
messages that reflect server startup and server status change requests, such<br />
as start, stop, and restart. Entries displayed in the Event Viewer are written to<br />
the standard out log.<br />
Output from System.err.println and System.out.println statements in the<br />
application code will also appear in the application server stdout and stderr<br />
logs respectively.<br />
By default, logs for the default server are output to the files<br />
Default_Server_stdout.log and Default_Server_stderr.log. <strong>The</strong> file name and<br />
destination directory of the logs can be specified in the File tab of the default<br />
server node (Figure 11-31).<br />
Figure 11-31 Specifying file destinations for server logs<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 319
320 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
► Wasdb2 log<br />
This log is created when the DB2 database is configured. This log enables<br />
you to determine if the <strong>WebSphere</strong> database was created correctly and if<br />
<strong>WebSphere</strong> Application Server can connect to it. Errors creating the system<br />
management repository tables will be logged in this file, called wasdb2.log.<br />
► Wssetup log<br />
This log is created during the install process and shows if the install process<br />
was successful. It includes installation processes such as verifying<br />
prerequisite, downloading files, and updating configuration files. <strong>The</strong> file is<br />
called wssetup.log.<br />
Common errors<br />
If you see the following exception message when executing a request against a<br />
remote <strong>CICS</strong> TG for z/OS using the resource adapter:<br />
javax.resource.spi.ResourceAdapterInternalException: CTG9631E: Error<br />
occurred during interaction with <strong>CICS</strong>. Error Code=ECI_ERR_SYSTEM_ERROR<br />
and the following message in the <strong>CICS</strong> TG JNI trace:<br />
[020e06ed,10db6250,Worker-0 ] : CCL6818E: CcicsECI: Begin Context<br />
failed. RRM Return code = 1878.<br />
Check that transactional EXCI is enabled on the <strong>CICS</strong> TG for z/OS. See 11.3.2,<br />
“Remote testing” on page 316 for further details.<br />
Altering connection factory settings<br />
We found that when changing settings on existing connection factory definitions,<br />
for example adding a user name and password, we had to restart the default<br />
server for the settings to take effect. Restarting the enterprise application that<br />
was using the connection factory was not sufficient.<br />
Useful commands<br />
We found the <strong>WebSphere</strong> utility dumpnamespace useful to verify that our<br />
session bean and connection factories had been registered in the JNDI name<br />
space. <strong>The</strong> utility is supplied with <strong>WebSphere</strong> in the AppServer\bin directory.<br />
We ran the dumpnamespace utility from the <strong>WebSphere</strong> Appserver\bin directory<br />
on our Windows 2000 workstation. <strong>The</strong> utility connected to the JNDI server on<br />
the machine and output the contents of the JNDI name space, as shown in<br />
Example 11-2 on page 321.
11.4.2 Tracing<br />
Example 11-2 Output from dumpnamespace<br />
=============================================================================<br />
Beginning of Name Space Dump<br />
=============================================================================<br />
1 (top)<br />
...<br />
8 (top)/eis javax.naming.Context<br />
9 (top)/eis/SCSCPJA1 SCSCPJA1<br />
...<br />
57 (top)/ejbs javax.naming.Context<br />
58 (top)/ejbs/CTGTesterCCI itso.cics.eci.j2ee.testercci._CTGTesterCCIHome_Stub<br />
...<br />
Recall that we defined each connection factory’s JNDI binding path as being<br />
eis/. Example 11-2 shows our connection factory<br />
SCSCPJA1 bound with the JNDI path eis/SCSCPJA1 as specified in “Configure<br />
a connection factory” on page 297.<br />
Also recall that when we deployed the CTGTesterCCI enterprise application, we<br />
used the value of ejbs/CTGTesterCCI for the JNDI Name of our CTGTesterCCI<br />
session bean. Example 11-2 also shows the JNDI entry for our session bean.<br />
Various levels of <strong>CICS</strong> TG tracing can be enabled from <strong>WebSphere</strong>. <strong>The</strong>y are:<br />
► Java application trace<br />
► Resource adapter trace<br />
► JNI trace<br />
Java client trace<br />
<strong>CICS</strong> TG Java client tracing can be set programmatically by adding the following<br />
statements to the Java application:<br />
com.ibm.ctg.client.T.setDebugOn(true);<br />
com.ibm.ctg.client.T.setTimingOn(true);<br />
Both of these traces go to the stderr output stream, so they will appear in the<br />
standard error log file.<br />
Note: Enabling <strong>CICS</strong> TG Java client tracing in an application will enable it for<br />
all applications running in the application server, as a consequence of the<br />
static nature of the T class.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 321
322 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
J2EE resource adapter trace<br />
Resource adapter tracing can either be set programmatically, or by using the<br />
<strong>WebSphere</strong> administrative console to change properties in the connection<br />
factory.<br />
Programmatic trace control<br />
Resource adapter tracing is set programmatically using the<br />
ECIManagedConnectionFactory object. Two steps must be taken to enable<br />
tracing:<br />
1. Turn logging on through the setLogWriter() method.<br />
2. Specify the level of tracing using the setTraceLevel() method as shown:<br />
ECIManagedConnectionFactory mcf = new ECIManagedConnectionFactory();<br />
mcf.setLogWriter(new java.io.PrintWriter(System.out));<br />
mcf.setTraceLevel(new Integer(mcf.RAS_TRACE_INTERNAL));<br />
Valid levels of tracing are as follows, with each level of trace building upon the<br />
previous level. <strong>The</strong>refore, ENTRY_EXIT includes everything in<br />
ERROR_EXCEPTION, and INTERNAL includes all trace levels:<br />
RAS_TRACE_OFF Disable all tracing<br />
RAS_TRACE_ERROR_EXCEPTION Output exception trace stacks<br />
RAS_TRACE_ENTRY_EXIT Output method entry and exit stack traces<br />
RAS_TRACE_INTERNAL Output debug trace entries<br />
.<br />
Tip: We found that the <strong>CICS</strong> resource adapter trace traced the execution of<br />
methods only within the resource adapter itself. <strong>The</strong> resource adapter acts as<br />
a client to the <strong>CICS</strong> TG classes, so enabling <strong>CICS</strong> TG Java client tracing will<br />
provide extra information. We suggest that you combine J2EE resource<br />
adapter trace with the use of the com.ibm.ctg.client.T class, since this will<br />
provide end-to-end debug information.<br />
Managed connections<br />
Tracing on a connection factory is set using the TraceLevel property of the<br />
connection factory resource. To modify tracing, from the <strong>WebSphere</strong><br />
administrative console expand <strong>WebSphere</strong> Administrative Domain -><br />
Resources -> J2C Resource Adapters -> <strong>CICS</strong> ECI and click J2C Connection<br />
Factories. Click the connection factory instance and then click the Connections<br />
tab. <strong>The</strong> TraceLevel property controls the tracing (Figure 11-32 on page 323).
Figure 11-32 Connection factory trace setting<br />
<strong>The</strong> same levels of tracing as for programmatic control are available. <strong>The</strong>se are:<br />
0 Disable all tracing<br />
1 Output exception trace stacks<br />
2 Output method entry and exit stack traces<br />
3 Output debug trace entries<br />
For example, to set a connection factory to trace method entry, exit and<br />
exceptions, enter 2 into the TraceLevel field.<br />
By default the trace output goes to the destination specified in the<br />
setLogWriter() call in application code, and is not output if this method call is not<br />
made. In order to make the trace output go to standard error without<br />
programmatic intervention, the Java system property<br />
com.ibm.connector2.cics.outputerr has to be set on the application server. To<br />
do this, perform the following steps:<br />
1. From the <strong>WebSphere</strong> administrative console, expand <strong>WebSphere</strong><br />
Administrative Domain -> Nodes -> node name -> Application Servers.<br />
Click Default Server.<br />
2. Click the JVM Settings tab.<br />
3. In the System Properties section of the JVM Settings tab, click the Add<br />
button. In the Name field enter com.ibm.connector2.cics.outputerr. In the<br />
Value field, enter true. Click Apply. See Figure 11-33 on page 324.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 323
324 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure 11-33 Defining the Java system properties for the default server<br />
To activate any changes to the default server or a connection factory, the default<br />
server must be restarted. To do this, expand <strong>WebSphere</strong> Administrative<br />
Domain -> Nodes -> node name -> Application Servers. Right-click Default<br />
Server. Stop the server if it is running, then select Start to restart the default<br />
server. <strong>The</strong> connection factory trace output will now go to standard error, so it will<br />
appear in the <strong>WebSphere</strong> standard error log.<br />
JNI trace<br />
<strong>CICS</strong> TG JNI trace is produced when using a local <strong>CICS</strong> TG, and is controlled<br />
with the Java system property gateway.T.setJNITFile. <strong>The</strong> property value<br />
specifies the file name where the JNI trace is output. This must be set on the<br />
application server. To do this, perform the following steps:<br />
1. From the <strong>WebSphere</strong> administrative console, expand <strong>WebSphere</strong><br />
Administrative Domain -> Nodes -> node name -> Application Servers.<br />
Click Default Server.<br />
2. Click the JVM Settings tab.<br />
3. In the System Properties section of the JVM Settings tab, click the Add<br />
button. In the Name field enter gateway.T.setJNITFile. In the Value field<br />
enter C:\<strong>WebSphere</strong>\AppServer\logs\ctgjni.trc and then click Apply.<br />
<strong>The</strong> completed window should now look as shown in Figure 11-34.
Figure 11-34 Defining the JNI trace system property<br />
<strong>The</strong> default server must be restarted for the Java system property to be<br />
activated. <strong>The</strong> JNI trace output will now go to the file ctgjni.trc in the <strong>WebSphere</strong><br />
logs directory.<br />
Note: If a plain file name is specified for the JNI Java system property, the file will<br />
be created in the <strong>WebSphere</strong> bin directory, in \<strong>WebSphere</strong>\AppServer\bin.<br />
Tip: <strong>CICS</strong> TG Java class library JNI trace is only produced when using a local<br />
<strong>Gateway</strong>. When using a remote <strong>Gateway</strong> daemon, the JNI trace must be<br />
enabled on the remote <strong>Gateway</strong> machine. For information about how to enable<br />
JNI trace on a <strong>Gateway</strong> daemon, refer to 7.4.2, “Tracing” on page 170.<br />
Chapter 11. <strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows 325
326 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Part 5 Appendixes<br />
Part 5<br />
In this section, we describe the sample applications provided with this book, and<br />
how to install and use them.<br />
We also provide details on how to set up and install DFHCNV data conversion<br />
templates for conversion of ASCII data to EBCDIC.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 327
328 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Appendix A. DFHCNV and <strong>CICS</strong> data<br />
conversion<br />
A<br />
If you chose to convert data within <strong>CICS</strong>, then this data conversion will be<br />
performed by the <strong>CICS</strong> data conversion program DFHCCNV, in combination with<br />
conversion templates defined using the DFHCNV macro. When using the <strong>CICS</strong><br />
<strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG), conversion is different for External Call<br />
Interface (ECI) and External Presentation Interface (EPI) requests, so we<br />
examine each of these separately in the following sections.<br />
Note: It is also possible to convert character data from ASCII to EBCDIC, and<br />
numeric data from little-endian to big-endian within the Java client application.<br />
This can be achieved either by using the data marshalling capabilities of the<br />
Java Record Framework, or by writing your own conversion routines. For<br />
further guidance on these options, please refer to Appendix B, “Data<br />
conversion” in the redbook, Java Connectors for <strong>CICS</strong>, SG24-6401.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 329
ECI applications<br />
Web Browser<br />
330 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
ECI applications use the facilities of the <strong>CICS</strong> mirror program to link to the<br />
specified user program, passing a buffer known as the COMMAREA for input and<br />
output. <strong>The</strong> <strong>CICS</strong> mirror program (DFHMIRS) invokes the services of the data<br />
conversion program (DFHCCNV) to perform the necessary conversion of the<br />
COMMAREA (Figure A-1).<br />
<strong>CICS</strong> TG<br />
ECI<br />
z/OS, Linux, AIX, Solaris, Windows<br />
Figure A-1 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, ECI data conversion<br />
Only if DFHCCNV finds a conversion template in the DFHCNV table that<br />
matches the program name will it perform code page translation for the<br />
COMMAREA associated with the ECI request. Example A-1 shows the DFHCNV<br />
table entry we used for the program ECIPROG.<br />
Example: A-1 DFHCNV entry<br />
Mirror<br />
program<br />
DFHMIRS<br />
<strong>CICS</strong> TS region<br />
DFHCCNV<br />
<strong>CICS</strong><br />
program<br />
DFHCNV TYPE=ENTRY,RTYPE=PC, *<br />
CLINTCP=850,SRVERCP=037, *<br />
RNAME=ECIPROG,USREXIT=NO<br />
DFHCNV TYPE=SELECT,OPTION=DEFAULT<br />
DFHCNV TYPE=FIELD,OFFSET=0,DATATYP=CHARACTER, *<br />
DATALEN=27,LAST=YES<br />
<strong>The</strong> SRVERCP should represent the EBCDIC code page in which the data is<br />
stored within <strong>CICS</strong>. <strong>The</strong> CLINTCP should be the default code page for client<br />
requests, but this can be overridden by information flowed from the <strong>CICS</strong><br />
Universal Client, which is determined from the code page of the client machine.<br />
(Note that the <strong>CICS</strong> TG supplied CicsCpRequest object allows you to determine<br />
the code page used by the <strong>CICS</strong> Universal Client). <strong>The</strong> DATALEN should be the<br />
maximum length of the COMMAREA you require to be translated.<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A
<strong>The</strong> name of the mirror transaction that executes the ECI request can be<br />
modified using the extended constructor for the ECIRequest object (Figure A-2),<br />
but it will default to CPMI if using the <strong>CICS</strong> TG on a distributed platform or CSMI<br />
if using V4 or <strong>V5</strong> of the <strong>CICS</strong> TG on z/OS (see Table A-1 on page 332). This can<br />
be important, since it can affect the way in which data conversion occurs.<br />
byte abCommarea[] = new byte[];<br />
abCommarea = "abcd".getBytes();<br />
String strTranid = "MIR1"; // Private <strong>CICS</strong> mirror<br />
Java<strong>Gateway</strong> jgaConnection = new Java<strong>Gateway</strong>();<br />
jgaConnection.open;<br />
ECIRequest eciRequest = new ECIRequest();<br />
ECIRequest.ECI_SYNC_TPN, // Call type<br />
strServerName, // <strong>CICS</strong> Server<br />
strUserName, // <strong>CICS</strong> userid<br />
strPassword, // Password<br />
strProgramName, // Program name<br />
strTranid, // Mirror eci_transid<br />
abCommarea); // Commarea byte array<br />
jgaConnection.flow(eciRequest);<br />
String strCommarea = new String(abCommarea);<br />
Figure A-2 Specifying a private mirror on the ECIRequest constructor<br />
For ECI requests from distributed platforms, the mirror transaction always calls<br />
DFHCCNV, and, if a DFHCNV conversion template is present, data conversion<br />
will take place. DFHCCNV is always called, because the distributed <strong>CICS</strong> TG<br />
sets a data conversion trigger in the ECI call, and also flows a client code page<br />
(which will override the CLINTCP setting in the DFHCNV template). For ECI<br />
requests from the <strong>CICS</strong> TG on z/OS, this data conversion trigger is also set if the<br />
EXCI uses an EXCI Version 2 call, and so DFHCCNV is always called. However,<br />
unlike ECI requests from distributed platforms, the client code page is not flowed<br />
with the ECI request, and so the value from the CLINTCP parameter in the<br />
DFHCNV template will be used.<br />
EXCI Version 2: In <strong>CICS</strong> TS V1.3, the fix for APAR PQ38644 adds the EXCI<br />
Version 2. In contrast to the earlier version, Version 2 supports the data<br />
conversion trigger in EXCI calls. <strong>The</strong> <strong>CICS</strong> TG on z/OS V4 and <strong>V5</strong> exploits this<br />
trigger and DFHCCNV is therefore always called for an ECI request.<br />
<strong>The</strong> use of EXCI Version 2 also removes the need for the DFHMIRR program,<br />
which was introduced as an optional workaround to always trigger DFHCCNV<br />
from the mirror transaction. Since it is not shipped with <strong>CICS</strong>, it must be created<br />
Appendix A. DFHCNV and <strong>CICS</strong> data conversion 331
332 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
as a copy of the supplied mirror program DFHMIRS. If you have implemented this<br />
use of DFHMIRR, you should install the fix for APAR PQ38644 after migrating to<br />
<strong>CICS</strong> TS V1.3, then upgrade your <strong>CICS</strong> TG to V4 or <strong>V5</strong> to enable use of the<br />
EXCI Version 2, and so abandon DFHMIRR altogether.<br />
This technique is to be encouraged, since it also solves the possible problem of<br />
double code page conversion in a <strong>CICS</strong>plex. This can occur when the user<br />
application specified in the ECIRequest is actually in a region remote from the<br />
region that first runs the mirror transaction. <strong>The</strong> mirror transaction will set the<br />
data conversion trigger to off when routing the DPL request through to the<br />
remote region. Prior to the EXCI Version 2, you had to specify different DFHCNV<br />
tables for the two <strong>CICS</strong> regions, or associate different mirror program names to<br />
the mirror transactions in each region.<br />
Table A-1 Mirror transaction characteristics for ECI requests<br />
Default ECI<br />
mirror transid<br />
Supports data<br />
conversion<br />
trigger?<br />
Mirror calls<br />
DFHCCNV on<br />
DPL request?<br />
LU 6.2 or TCP62<br />
connection<br />
EXCI V2 connection<br />
(<strong>CICS</strong> TG V4 or 5)<br />
CPMI CSMI CPMI<br />
Yes, and the trigger<br />
is always set in the<br />
ECI request<br />
If data conversion<br />
trigger is set, mirror<br />
transid is CPMI, or<br />
mirror program is<br />
DFHMIRR<br />
Yes, and the trigger is<br />
always set in the ECI<br />
request<br />
Only if data<br />
conversion trigger is<br />
set, mirror transid is<br />
CPMI, or mirror<br />
program is DFHMIRR<br />
EXCI Version 1<br />
connection<br />
Java on z/OS<br />
Java programs executing on z/OS and using the <strong>CICS</strong> TG ECI methods deserve<br />
a special mention because of the code page considerations on z/OS. Java<br />
strings are stored in Unicode, and Java byte arrays are stored in the native code<br />
page of the operating system. <strong>The</strong> COMMAREA flowed to <strong>CICS</strong> in an<br />
ECIRequest is a Java byte array, but is often converted to or from a string, for<br />
handling within the Java code. If the Java program executes in a Java Virtual<br />
Machine (JVM) on z/OS, then conversion of a string to a byte array will require<br />
the encoding to be specified.<br />
In our previous example (Figure A-2 on page 331), we used the method<br />
String.getBytes() to convert our string to a byte array, and the default String<br />
constructor to convert the byte array to a string. This will convert the byte array to<br />
a string using the default platform encoding. On Intel or UNIX platforms, this<br />
encoding will probably be US ASCII (ISO 8859-1); however, on z/OS it will be<br />
No<br />
Only if mirror transid<br />
is CPMI, or mirror<br />
program is<br />
DFHMIRR
Web Browser<br />
1047 (an extended 037 EBCDIC code page). Unicode and ASCII share the first<br />
256 code points, so conversion works fine on ASCII platforms, but on z/OS it will<br />
not give the correct results. <strong>The</strong> solution to this is to make the Java application<br />
code page aware, by defining the code page of the COMMAREA byte array in the<br />
Java code (Figure A-3).<br />
ASCII<br />
ASCII<br />
Unicode<br />
Unicode<br />
JVM<br />
ASCII<br />
ASCII<br />
Figure A-3 Code page-aware servlet, ASCII input to <strong>CICS</strong><br />
ASCII<br />
ASCII<br />
<strong>CICS</strong> <strong>Transaction</strong> Server<br />
DFHCNV EBCDIC<br />
DFHCNV<br />
EBCDIC<br />
Figure A-4 shows a sample of a code page-aware Java ECI application, that<br />
converts the COMMAREA to and from ASCII using the encoding parameter on<br />
the String.getBytes() method and the modified String constructor.<br />
byte abCommarea[] = new byte[];<br />
abCommarea = "abcd".getBytes("8859_1");<br />
Java<strong>Gateway</strong> jgaConnection = new Java<strong>Gateway</strong>();<br />
jgaConnection.open;<br />
ECIRequest eciRequest = new ECIRequest();<br />
ECIRequest.ECI_SYNC, // Call type<br />
strServerName, // <strong>CICS</strong> Server<br />
strUserName, // <strong>CICS</strong> userid<br />
strPassword, // Password<br />
strProgramName, // Program name<br />
abCommarea); // Commarea byte array<br />
jgaConnection.flow(eciRequest);<br />
String strCommarea = new String(abCommarea,"8859_1");<br />
Figure A-4 Code page-aware Java application— ASCII COMMAREA<br />
<strong>CICS</strong><br />
program<br />
Note: This technique means that the COMMAREA always flows to <strong>CICS</strong> in<br />
ASCII, and so you will then need to ensure that you create a correct DFHCNV<br />
table entry in your <strong>CICS</strong> region in order to convert the COMMAREA from<br />
ASCII to EBCDIC. This is not as inefficient as it sounds, since data conversion<br />
from Unicode to ASCII is an efficient operation in Java, since it just involves<br />
the removal of the high order byte.<br />
Appendix A. DFHCNV and <strong>CICS</strong> data conversion 333
Web Browser<br />
334 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
An alternative to this is to create an EBCDIC byte array within the Java code<br />
(Figure A-5). This removes the need for the DFHCNV entry, but increases the<br />
cost within the Java code, because conversion from Unicode to EBCDIC in Java<br />
requires a table lookup. A Java code example is shown in Figure A-6.<br />
ASCII<br />
ASCII<br />
Unicode<br />
Figure A-5 Code page-aware servlet, EBCDIC input to <strong>CICS</strong><br />
JVM <strong>CICS</strong> <strong>Transaction</strong> Server<br />
EBCDIC<br />
Unicode EBCDIC EBCDIC<br />
byte abCommarea[] = new byte[];<br />
abCommarea = "abcd".getBytes("037");<br />
EBCDIC<br />
Java<strong>Gateway</strong> jgaConnection = new Java<strong>Gateway</strong>();<br />
jgaConnection.open;<br />
ECIRequest eciRequest = new ECIRequest();<br />
ECIRequest.ECI_SYNC, // Call type<br />
strServerName, // <strong>CICS</strong> Server<br />
strUserName, // <strong>CICS</strong> userid<br />
strPassword, // Password<br />
strProgramName, // Program name<br />
abCommarea); // Commarea byte array<br />
jgaConnection.flow(eciRequest);<br />
String strCommarea = new String(abCommarea,"037");<br />
Figure A-6 Code page-aware Java application— EBCDIC COMMAREA<br />
<strong>CICS</strong><br />
program
EPI applications<br />
Web Browser<br />
For EPI requests from the <strong>CICS</strong> TG, the <strong>CICS</strong> data conversion program,<br />
DFHCCNV is also used to convert data from the ASCII code page of the<br />
<strong>CICS</strong> TG platform to the EBCDIC code page of the <strong>CICS</strong> region (Figure A-7).<br />
<strong>CICS</strong> TG<br />
Web server<br />
Linux, AIX, Solaris, Windows<br />
EPI<br />
Figure A-7 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong>, EPI data conversion<br />
DFHCCNV<br />
3270<br />
virtual terminal<br />
<strong>CICS</strong><br />
application<br />
<strong>CICS</strong> region on z/OS<br />
All EPI requests must first create a virtual 3270 terminal definition in <strong>CICS</strong>. This<br />
definition is installed using the EPIRequest.addTerminal() method or the<br />
Terminal object. <strong>CICS</strong> then runs the transactions specified in subsequent EPI<br />
requests as if they were started on that terminal. When the terminal definition is<br />
autoinstalled in <strong>CICS</strong>, it is, like all autoinstalled terminals, created using a <strong>CICS</strong><br />
TYPETERM definition. <strong>The</strong> CGCSGID value in the TYPETERM definition<br />
determines the server code page. <strong>The</strong> <strong>CICS</strong> TG supplies the client code page<br />
from the <strong>CICS</strong> Universal Client installation. This can be overridden using the<br />
CCSid field on the EPIRequest.addTerminal() method.<br />
<strong>The</strong> available code page pairs are a subset of the those available for ECI<br />
applications. Refer to <strong>CICS</strong> Family: Communicating from <strong>CICS</strong> on<br />
System/390®, SC33-1697, for the most recent list.<br />
Appendix A. DFHCNV and <strong>CICS</strong> data conversion 335
336 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Appendix B. Sample applications<br />
B<br />
In this appendix, we detail the two sample applications provided with the<br />
redbook:<br />
► CTGTesterECI<br />
<strong>The</strong> CTGTesterECI application uses the ECIRequest class (provided in the<br />
<strong>CICS</strong> TG base classes) to flow an ECI request to a <strong>CICS</strong> region. It uses a<br />
simple JSP/servlet design with all the business logic in the servlet.<br />
► CTGTesterCCI.<br />
CTGTesterCCI uses the J2EE CCI classes and the ECI resource adapter to<br />
flow an ECI request to <strong>CICS</strong>. As such, it will only run in an Application Server<br />
where the ECI resource adapter has already been installed. It uses a<br />
JSP/servlet/EJB design with the business logic split between the servlet and<br />
the EJB session bean.<br />
Both of these applications are designed for the testing of connectivity from the<br />
Web application server to <strong>CICS</strong>. As such, all the <strong>CICS</strong> dependencies, such as<br />
COMMAREA size, input, encoding and length, are externalized to enable you to<br />
test different configurations. <strong>The</strong>y are not designed as production applications,<br />
since such externals are unlikely to be exposed in real-life customer applications.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 337
<strong>The</strong> CTGTesterECI application<br />
Application overview<br />
338 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> CTGTesterECI enterprise application contains a Java servlet that we used<br />
during this project in our various test scenarios. It is intended to provide a simple<br />
enterprise application that can be used “out of the box” to test ECI connectivity<br />
from any <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> to any configured <strong>CICS</strong> region. It is written<br />
for simplicity and thus is not intended as a real-life customer application. All input<br />
parameters can be specified as HTTP query strings or HTML form parameters,<br />
and all output is through text-based HTML.<br />
It has the following features:<br />
► Setting of the <strong>CICS</strong> server, mirror transaction, user ID and password<br />
► Setting of the <strong>Gateway</strong> daemon URL and port<br />
► Setting of the COMMAREA input, encoding, and length<br />
► Setting of <strong>CICS</strong> TG Java client trace<br />
<strong>The</strong> application consists of a number of JSPs and a servlet. Figure B-1 illustrates<br />
the complete architecture of the enterprise application.<br />
Web browser<br />
HTML<br />
JSP<br />
<strong>WebSphere</strong> Application<br />
Server for Windows<br />
servlet<br />
CTGTesterECIServlet<br />
Figure B-1 Architecture of CTGTesterECI<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> TG<br />
Java<br />
classes<br />
<strong>CICS</strong> TS<br />
<strong>CICS</strong><br />
program<br />
<strong>The</strong> following list explains the sequence of events that occur when the end user<br />
interacts with the application through a Web browser, illustrated in Figure B-2 on<br />
page 339.<br />
1. <strong>The</strong> end user opens the Web application using a Web browser.<br />
2. <strong>The</strong> end user clicks a button on a Web page that submits a form to the servlet.<br />
3. <strong>The</strong> servlet receives the request for action and uses the <strong>CICS</strong> TG Java<br />
classes to execute a program on the <strong>CICS</strong> server.<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A<br />
z/OS
4. <strong>The</strong> <strong>CICS</strong> TG Java classes return data from the <strong>CICS</strong> program to the servlet.<br />
5. <strong>The</strong> servlet forwards to a JSP, which displays the response to the end user.<br />
Web browser<br />
Figure B-2 Flow of CTGTesterECI<br />
CTGTesterECI<br />
1 welcome<br />
JSP<br />
2<br />
servlet<br />
CTGTesterECIServlet<br />
3<br />
5<br />
4<br />
success<br />
results<br />
JSP<br />
eci error<br />
error<br />
JSP<br />
We developed and tested our application using <strong>WebSphere</strong> Studio Application<br />
Developer Integration Edition. We chose this environment instead of VisualAge<br />
for Java V4, because it supports editing of EJB 1.1 deployment descriptors, and<br />
can generate deployment code suitable for the <strong>WebSphere</strong> Application Server<br />
V4 container. It can export deployed application files directly, ready for installation<br />
into <strong>WebSphere</strong> Application Server V4. <strong>The</strong>se application files include J2EE<br />
enterprise archives (EAR files), Web application archives (WAR files), and EJB<br />
1.1 deployed JAR files. Application Developer also provides a suitable local test<br />
environment for testing your application components because it uses<br />
<strong>WebSphere</strong> Application Server Advanced Single Server V4.<br />
As an alternative to using Application Developer, you can use VisualAge for Java<br />
in combination with the Application Assembly Tool (AAT) to produce deployable<br />
enterprise beans for <strong>WebSphere</strong> Application Server Advanced Edition.<br />
HTML form<br />
<strong>The</strong> HTML form is in index.jsp. It consists of a number of fields where data for the<br />
application is entered. <strong>The</strong> fields are explained in Table B-1 on page 339.<br />
Table B-1 Fields in the HTML form, CTGTesterECI<br />
Field Name Purpose<br />
exception<br />
exception<br />
JSP<br />
<strong>CICS</strong> program name funcName Program on <strong>CICS</strong> to call<br />
<strong>CICS</strong> TG<br />
Java<br />
classes<br />
Appendix B. Sample applications 339
340 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Field Name Purpose<br />
COMMAREA input commareaInput COMMAREA data<br />
COMMAREA length commareaLength Length of the COMMAREA<br />
Encoding encoding Encoding to convert data to before<br />
sending and after receiving<br />
<strong>Gateway</strong> daemon URL gatewayURL URL of the <strong>Gateway</strong> daemon to use<br />
<strong>Gateway</strong> daemon port gatewayPort Port of the <strong>Gateway</strong> daemon<br />
<strong>CICS</strong> Server server Server name as defined to the Client<br />
daemon to use<br />
User ID username User name to flow on the ECI request<br />
Password password Password to flow on the ECI request<br />
Mirror transaction mirror <strong>Transaction</strong> to use on the <strong>CICS</strong> server<br />
Trace trace Whether to enable <strong>CICS</strong> TG Java client<br />
trace<br />
<strong>The</strong> action of the HTML form is to call the servlet CTGTesterECIServlet, using<br />
the POST method to send the parameters. This means that the parameters are<br />
sent in the HTTP request body. Because an HTTP POST request is intended to<br />
affect some sort of change on the Web server, a Web browser will prompt to<br />
resubmit the data if the user clicks Refresh on the results page. Conversely, the<br />
GET method could be used, which sends the parameters on the HTTP request<br />
URL. Because HTTP GETs are not intended to alter anything on the Web server,<br />
the results page of such a request can be refreshed without a prompt being<br />
shown.<br />
Servlet<br />
In the following section, we describe the major code sections in the<br />
CTGTesterECIServlet servlet and how the servlet functions.<br />
<strong>The</strong> servlet is defined to be in the package itso.cics.eci.testereci. Figure B-3<br />
on page 341 shows the import statements used to give us access to the Java<br />
packages used in the servlet. <strong>The</strong> import of javax.servlet and<br />
javax.servlet.http give us access to the Java Servlet API set of classes; the<br />
import of java.io, java.util and java.text are required for utility classes used<br />
in the servlet; the import of com.ibm.ctg.client provides the <strong>CICS</strong> TG Java<br />
class library.
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
import javax.servlet.*;<br />
import com.ibm.ctg.client.*;<br />
import java.io.PrintWriter;<br />
import java.io.IOException;<br />
import java.util.Date;<br />
import java.util.StringTokenizer;<br />
import java.text.DateFormat;<br />
import java.text.SimpleDateFormat;<br />
Figure B-3 Import statements<br />
Figure B-4 on page 342 shows the opening code section of our servlet. We<br />
extend the HTTPServlet class to make our class an HTTP protocol servlet.<br />
Following this, we first declare our instance variables and objects. <strong>The</strong>se are<br />
variables that we wish to share across all threads running within the servlet.<br />
Appendix B. Sample applications 341
Figure B-4 Class variables<br />
342 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
public class CTGTesterECIServlet extends HttpServlet<br />
{<br />
// date loaded into application server<br />
private Date loadedDate;<br />
// jsp names<br />
private static final String jspResults = "results.jsp";<br />
private static final String jspError = "error.jsp";<br />
private static final String jspException = "exception.jsp";<br />
// names of attributes set in the request<br />
private static final String attrResultsString = "results";<br />
private static final String attrDefaultResultsString = "defaultResults";<br />
private static final String attrHexResultsString = "hexResults";<br />
private static final String attrErrorMessages = "errorMessages";<br />
private static final String attrErrorException = "errorException";<br />
private static final String attrLastLoaded = "lastLoaded";<br />
private static final String attrCicsProgram = "funcName";<br />
private static final String attr<strong>Gateway</strong>URL = "gatewayURL";<br />
private static final String attr<strong>Gateway</strong>Port = "gatewayPort";<br />
private static final String attrServer = "server";<br />
private static final String attrUsername = "username";<br />
private static final String attrHttpUsername = "httpusername";<br />
private static final String attrMirror = "mirror";<br />
private static final String attrCommareaLength = "commareaLength";<br />
private static final String attrCommarea = "commareaInput";<br />
private static final String attrManaged = "managed";<br />
private static final String attrEncoding = "encoding";<br />
private static final String attrReturnCode = "returnCode";<br />
private static final String attrReturnString = "returnString";<br />
private static final String attrAbendCode = "abendCode";<br />
private static final String attrTrace = "trace";<br />
private static final String attrProgress = "progress";<br />
We declare the names of the JSPs we use to display the results of the program,<br />
as well as the attribute names we use to pass the results to the JSPs.<br />
<strong>The</strong> Servlet interface class contains the init(), destroy(), and service()<br />
methods. <strong>The</strong> first of these methods we define is our init() method (Figure B-5<br />
on page 343). <strong>The</strong> purpose of the init() method is to perform the necessary<br />
servlet initialization. It is guaranteed to be the first method to be called on any<br />
servlet instance. <strong>The</strong> servlet implemented may choose to override this method to<br />
perform custom servlet initialization. In our init() method, we instantiate our<br />
loadedDate object so as to set the time of loading and also call the superclass<br />
init() method to ensure the proper HttpServlet initialization occurs.
public void init(ServletConfig sc) throws ServletException<br />
{<br />
// call HttpServlet init method<br />
super.init(sc);<br />
}<br />
// Set time of loading<br />
loadedDate = new Date();<br />
Figure B-5 init() method<br />
<strong>The</strong> Web application server invokes the servlet service() method upon receiving<br />
an HTTP request targeted towards that servlet. This method in turn invokes the<br />
appropriate HTTP-specific method based on the type of request.<br />
HttpServletRequest is an input parameter and contains the HTTP protocol<br />
specified header information. HttpServletResponse is an output parameter and<br />
contains an HTTP protocol-specific header and can return HTML data to the<br />
client. In our servlet we defined a doGet() and doPost() method so the servlet<br />
can handle HTTP GET and POST requests. Both methods are identical; they call<br />
the common processRequest() method, which deals with GET and POST<br />
requests in the same way.<br />
<strong>The</strong> initial section of the processRequest() method is shown in Figure B-6.<br />
public void processRequest(HttpServletRequest request,<br />
HttpServletResponse response) throws IOException<br />
{<br />
Java<strong>Gateway</strong> jgaConnection = null;<br />
// input parameters<br />
String funcName = null;<br />
String encoding = null;<br />
...<br />
String trace = "";<br />
...<br />
// the jsp to forward to for displaying the results<br />
String jsp = jspResults;<br />
// values for strings to be converted into<br />
int commareaLengthInt = 0;<br />
int gatewayDaemonPort = 2006;<br />
// retrieve parameters<br />
funcName = request.getParameter("funcName");<br />
encoding = request.getParameter("encoding");<br />
...<br />
trace = request.getParameter("trace");<br />
Figure B-6 Getting HTML form input<br />
Appendix B. Sample applications 343
344 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
First of all, we set the automatic variable jsp to the name of the JSP we will<br />
forward to at the end of servlet processing. Initially we set this to the name of the<br />
results JSP. <strong>The</strong>n we retrieve the parameters of the HTML form into automatic<br />
String variables.<br />
In the next section of code, partially shown in Figure B-7, we perform some<br />
processing on these parameters. If the user ID or password is empty, then we set<br />
the corresponding variable to null. Later, when we pass these into the<br />
ECIRequest constructor, the null indicates that no user ID or password has been<br />
specified. We convert the integer parameters from Strings into int primitives,<br />
setting an error message if the parameters cannot be converted.<br />
...<br />
...<br />
// set username and password to null if empty<br />
if(username.equals(""))<br />
{<br />
username = null;<br />
}<br />
if(password.equals(""))<br />
{<br />
password = null;<br />
}<br />
// set last loaded date<br />
request.setAttribute(attrLastLoaded, loadedDate.toString());<br />
// set request details<br />
request.setAttribute(attrUsername, username);<br />
request.setAttribute(attrTrace, trace);<br />
// convert commarea length to int<br />
try<br />
{<br />
commareaLengthInt = Integer.parseInt(commareaLength);<br />
// set commarea length attribute<br />
request.setAttribute(attrCommareaLength,<br />
Integer.toString(commareaLengthInt));<br />
}<br />
catch(NumberFormatException ex)<br />
{<br />
messages += "Commarea length not a number";<br />
}<br />
...<br />
// set error messages<br />
request.setAttribute(attrErrorMessages, messages);<br />
Figure B-7 Processing HTML form input
We also use the mechanism for passing data from the servlet into our JSPs to<br />
pass the values of the input parameters to the JSPs. This is done by setting<br />
attributes in the HTTPRequest object associated with the request. Each attribute<br />
has a name and a String value, which can be retrieved in the JSP called at the<br />
end of the servlet processing.<br />
Next we ascertain if a user ID and password are contained in the HTTP basic<br />
authentication header. This will be the case if the Web server has challenged the<br />
Web browser to enter a user ID and password. This user ID and password is<br />
flowed in every HTTP request, and encoded using the Base64 algorithm. This<br />
encoded string can be obtained by invoking the getHeader() method on the<br />
HttpServletRequest object. <strong>The</strong> encoded string must then be passed to a<br />
StringTokenizer object, and decoded using an appropriate decode method. We<br />
utilized a separate utility class, Base64, for this purpose. This supplies the<br />
decode and encode methods and is packaged with CTGTesterECI.<br />
For further details on HTTP basic authentication and Base64 encoding, refer to<br />
the redbook Securing Web Access to <strong>CICS</strong>, SG24-5756.<br />
<strong>The</strong> user ID and password from HTTP basic authentication are sent to the JSP<br />
for output, however they are not flowed to <strong>CICS</strong> in the ECIRequest. <strong>The</strong> code for<br />
doing this is included in the source, but commented out. If you are running the<br />
servlet within <strong>WebSphere</strong> Application Server V3.5 for OS/390 using the <strong>CICS</strong> TG<br />
in local mode, then it is not necessary to explicitly specify the user ID or<br />
password in the ECIRequest object, since the EXCI will flow the user ID of the<br />
HTTP Server thread in the ECIRequest if the user ID parameter in the ECIRequest<br />
object is null. If HTTP basic authentication or SSL client authentication is<br />
enabled in the HTTP Server (using %%CLIENT%%), then the user ID of the thread<br />
will be the client's authenticated user ID. However, we found that when running<br />
the servlet in the Web container provided by <strong>WebSphere</strong> V4 for z/OS, this<br />
behavior no longer occurred, and the user ID was now set to the user ID under<br />
which the J2EE Server instance was running.<br />
When using <strong>WebSphere</strong> Application Server Advanced Edition for Windows, the<br />
user ID and password should be manually set in the ECIRequest object if you<br />
wish to flow them onto <strong>CICS</strong>.<br />
Appendix B. Sample applications 345
346 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> next section of code enables <strong>CICS</strong> TG Java client tracing if the tracing<br />
parameter is set to on (Figure B-8).<br />
if(trace.equals("on"))<br />
{<br />
T.setDebugOn(true);<br />
}<br />
else<br />
{<br />
T.setDebugOn(false);<br />
}<br />
Figure B-8 Enabling <strong>CICS</strong> TG Java client tracing<br />
<strong>The</strong> next section instantiates a Java<strong>Gateway</strong> object, using the URL and port of the<br />
<strong>Gateway</strong> as given in the input to the servlet. This automatically connects to the<br />
<strong>Gateway</strong> daemon so no openJava<strong>Gateway</strong>() method call is needed. Note that<br />
this, along with the other <strong>CICS</strong> TG Java method calls, is enclosed in a try catch<br />
block, so we catch any exceptions that occur.<br />
We then convert the input COMMAREA data into a byte array using the encoding<br />
specified in the form. We then create an ECIRequest object using the parameters<br />
previously input and flow the request to the <strong>CICS</strong> server, as shown in Figure B-9.<br />
// create the ECI Request<br />
eciRequest =<br />
new ECIRequest(<br />
ECIRequest.ECI_SYNC,<br />
cicsServer,<br />
username,<br />
password,<br />
funcName,<br />
mirror,<br />
abCommarea,<br />
commareaLengthInt,<br />
ECIRequest.ECI_NO_EXTEND,<br />
ECIRequest.ECI_LUW_NEW);<br />
// indicate progess<br />
progress += "Flowing ECI request to server";<br />
// send the request to <strong>CICS</strong><br />
jgaConnection.flow(eciRequest);<br />
Figure B-9 Creating an ECIRequest and flowing it to <strong>CICS</strong>
<strong>The</strong> next section of code deals with the results of the ECI request. If there have<br />
been no errors, then we convert the output COMMAREA into String objects,<br />
using both the default encoding and that specified in the form, and pass them to<br />
the JSP. We also convert the original byte data into a String hexadecimal<br />
representation, to help with data conversion debugging, and pass that to the JSP.<br />
If there has been an error, then we set jsp to forward to the name of the JSP that<br />
displays errors (error.jsp). In either case, we pass the ECI return codes and error<br />
strings to the JSP.<br />
<strong>The</strong> next section of code handles any exceptions that occur while building and<br />
sending the ECI request. To deal with an exception, we build a message<br />
consisting of a timestamp and the String representation of the exception that<br />
occurred. We then set a request attribute containing this String and specify we<br />
want to forward to the JSP that displays exceptions (exception.jsp).<br />
We then close the Java<strong>Gateway</strong> connection in a finally block, to ensure it is<br />
closed even if an exception occurs during the flow() method.<br />
<strong>The</strong> final section of code in the processRequest() method forwards to the<br />
appropriate JSP, set in the member variable jsp (Figure B-10).<br />
// route to jsp<br />
ServletContext servletContext = getServletContext();<br />
RequestDispatcher dispatcher =<br />
servletContext.getRequestDispatcher(jsp);<br />
try<br />
{<br />
dispatcher.forward(request, response);<br />
}<br />
catch(ServletException ex)<br />
{<br />
// log exception to servlet log<br />
servletContext.log("Exception routing to jsp: " + ex);<br />
}<br />
Figure B-10 Routing to a JSP<br />
We get the ServletContext object that represents the current request and<br />
response. We then get the RequestDispatcher object for the selected JSP from<br />
the ServletContext. <strong>The</strong> forward() method is called on the RequestDispatcher,<br />
passing in the HttpRequest and HttpResponse. This causes the request to be<br />
forwarded to the JSP, along with the objects representing the session. <strong>The</strong> JSP<br />
will then generate the response HTML.<br />
<strong>The</strong> other method in our servlet is byteArrayToHex(), which takes a byte array<br />
and converts it to a String showing the array data in a hexadecimal form.<br />
Appendix B. Sample applications 347
JSPs<br />
<strong>The</strong> application uses three JSPs to format and display the results. One of three<br />
scenarios can occur:<br />
► <strong>The</strong> request completes successfully<br />
► An error is reported in the ECIRequest object<br />
► An exception occurs inside the <strong>CICS</strong> TG Java class library<br />
348 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
results.jsp<br />
<strong>The</strong> JSP results.jsp processes successful completion of a request. <strong>The</strong> JSP<br />
defines the title of the HTML page and the style sheet used to format the HTML<br />
in the header. <strong>The</strong> JSP defines the JavaBeans components that the page uses to<br />
format and display the results (Figure B-11).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure B-11 JavaBeans components used by results.jsp<br />
<strong>The</strong>se components are all in the request scope and are all String objects. <strong>The</strong>ir<br />
IDs correspond to the names of the attributes we set in the HttpRequest in our<br />
servlet. <strong>The</strong>y contain the result of the <strong>CICS</strong> request made by the servlet.<br />
<strong>The</strong> page then includes our common JSP header, which displays the information<br />
specified in the initial form, such as <strong>Gateway</strong> daemon URL and user ID. <strong>The</strong> rest<br />
of the page then outputs the values of the request attributes using the scriptlet<br />
format , shown in Figure B-12. In our application, the<br />
JavaBean component returnCode contains the ECI return code, and is inserted<br />
into the HTML output with the JSP scriplet .<br />
<br />
Return Codes <br />
ECI return code:<br />
ECI error msg:<br />
Abend code:<br />
<br />
Figure B-12 Outputting the results into the HTML
<strong>The</strong> results page outputs the COMMAREA data converted to a String using the<br />
JVM default encoding, the encoding specified in the form and in a hexadecimal<br />
representation. <strong>The</strong> page also outputs the ECI return code, error message, and<br />
<strong>CICS</strong> abend code (which should show normal).<br />
error.jsp<br />
<strong>The</strong> JSP error.jsp processes the results when an ECI error occurred. <strong>The</strong> file is<br />
similar to results.jsp, except it does not display the COMMAREA output (as there<br />
is none), but only shows the ECI return code, error string, and <strong>CICS</strong> abend code,<br />
in a highlighted format. <strong>The</strong> page also shows any errors found in the processing<br />
of the form parameters by the servlet.<br />
exception.jsp<br />
<strong>The</strong> JSP exception.jsp is used when an exception occurs inside the <strong>CICS</strong> TG<br />
Java class library. It does not display output COMMAREA or ECI return codes, as<br />
generally there won't be either. Instead, it displays the contents of the exception<br />
that occurred and any errors found in the processing of the form parameters by<br />
the servlet.<br />
Application XML<br />
<strong>The</strong> XML that describes the enterprise application can be examined from within<br />
<strong>WebSphere</strong> Studio.<br />
Web deployment descriptor<br />
To view the Web application XML, perform the following steps:<br />
1. From J2EE Perspective Navigator, right-click CTGTesterECIWeb and select<br />
Edit Deployment Descriptor.<br />
This displays the Web deployment descriptor editor's General tab. Click the<br />
Servlets tab to show the Servlets pane. Click CTGTesterECIServlet in the<br />
Servlets list (Figure B-13 on page 350).<br />
Appendix B. Sample applications 349
350 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-13 CTGTesterECI Web deployment descriptor servlets panel<br />
We can see that the Servlet class is<br />
itso.cics.eci.testereci.CTGTesterECIServlet, the class we have outlined in<br />
the previous section. <strong>The</strong> display name is CTGTesterECIServlet. <strong>The</strong> URL<br />
mappings section has one entry: CTGTesterECIServlet. This means that a URL<br />
of CTGTesterECIServlet relative to the Web application root will map to this<br />
servlet. Because of the Servlet class entry, this URL will invoke the class<br />
itso.cics.eci.testereci.CTGTesterECIServlet.<br />
<strong>The</strong>re is nothing of note on the Security, Environment or References tabs.<br />
Click the Pages tab to show the Pages pane, shown in Figure B-14 on page 351.<br />
Here we can see the entry index.jsp in the Welcome files pane. This means that<br />
a URL that specifies the Web application root, for example “/”, will cause the<br />
page index.jsp to be looked for in the Web application. We supply an index.jsp,<br />
so this page will be found and displayed in the Web browser.
Figure B-14 CTGTesterECI Web deployment descriptor pages panel<br />
Click the Source tab to display the Source pane. This shows the source of the<br />
web.xml file that is generated from entries in the Web deployment descriptor<br />
editor (Figure B-15 on page 352).<br />
Appendix B. Sample applications 351
352 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<br />
<br />
<br />
CTGTesterECIWeb<br />
<br />
CTGTesterECIServlet<br />
CTGTesterECIServlet<br />
itso.cics.eci.testereci.CTGTesterECIServlet<br />
<br />
<br />
CTGTesterECIServlet<br />
CTGTesterECIServlet<br />
<br />
<br />
index.jsp<br />
<br />
<br />
Figure B-15 CTGTesterECI Web deployment descriptor source<br />
As can be seen, the display name of our Web application is specified with the<br />
tag. Most of the values shown in the XML editor are marked up<br />
using the same name, except for the servlet mapping, which is marked up with<br />
the tag to show which servlet the corresponds to.<br />
Web context root<br />
<strong>The</strong> context root of our Web application can be viewed and edited from the Web<br />
pane in the enterprise application properties window in <strong>WebSphere</strong> Studio. To<br />
see this window, perform the following steps:<br />
1. From the J2EE Perspective Navigator view, right-click CTGTesterECIWeb<br />
and select Properties.<br />
2. From the Properties dialog tree, click the Web node. This shows the Web<br />
panel (Figure B-16 on page 353).
Figure B-16 CTGTesterECIWeb properties Web panel<br />
As shown in the Context Root field, the context root for our Web application is<br />
CTGTesterECIWeb. <strong>The</strong>refore, the URL to invoke the application is<br />
/CTGTesterECIWeb, assuming that, at deploy time, the Application Server is set to<br />
map enterprise applications directly to /. Because the servlet URL mapping is<br />
relative to the context root, the URL /CTGTesterECIWeb/CTGTesterECIServlet<br />
can be used to directly invoke the servlet.<br />
Application deployment descriptor<br />
To view the application deployment descriptor, perform the following steps from<br />
<strong>WebSphere</strong> Studio:<br />
1. From the J2EE Perspective Navigator view, expand CTGTesterECI -><br />
META-INF.<br />
2. Right-click application.xml and select Open.<br />
<strong>The</strong> General tab shows some information about the application. Click the<br />
Modules tab to show the Modules pane. <strong>The</strong> Modules pane defines which<br />
modules make up the enterprise application and shows which URL invokes the<br />
application. Click CTGTesterECIWeb.war (Figure B-17 on page 354).<br />
Appendix B. Sample applications 353
354 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-17 CTGTesterECI application.xml modules panel<br />
As shown, the application uses the CTGTesterECIWeb module. This is a Web<br />
application, so it is contained in a Web Archive Resource (WAR) file. When<br />
CTGTesterECIWeb is built, <strong>WebSphere</strong> Studio builds it into a WAR file with the<br />
name of the Web application, and makes it available to the CTGTesterECI<br />
application. <strong>The</strong> URI of this WAR file is therefore CTGTesterECIWeb.war. <strong>The</strong><br />
Context root field is set to CTGTesterECIWeb, from the CTGTesterECIWeb<br />
application properties.
<strong>The</strong> CTGTesterCCI application<br />
<strong>The</strong> CTGTesterCCI enterprise application contains a Java servlet and a session<br />
bean that we used during this project in our various test scenarios. It is intended<br />
to provide a simple enterprise application that can be used “out of the box” to test<br />
ECI connectivity from any <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> to any configured <strong>CICS</strong><br />
region using the <strong>CICS</strong> ECI resource adapter. It is written for simplicity and thus is<br />
not intended as a real-life customer application. All input parameters can be<br />
specified as HTTP query strings or HTML form parameters, and all output is<br />
through text-based HTML.<br />
It has the following features:<br />
► Setting of the COMMAREA input, encoding, and length<br />
► Setting of <strong>CICS</strong> TG Java client and CCI trace<br />
► Executing a program a number of times<br />
► For an unmanaged connection, setting of the <strong>CICS</strong> application server, <strong>CICS</strong><br />
mirror transaction, <strong>CICS</strong> user ID, and password<br />
► For an unmanaged connection, setting of the <strong>Gateway</strong> daemon URL and port<br />
<strong>The</strong> application consists of a number of JSPs, a servlet, and an enterprise bean.<br />
Figure B-1 on page 338 illustrates the complete architecture of the enterprise<br />
application.<br />
Web browser<br />
HTML<br />
JSP<br />
<strong>WebSphere</strong> Application<br />
Server for Windows<br />
servlet<br />
CTGTesterCCIServlet<br />
session bean<br />
CTGTesterCCI CCI<br />
Figure B-18 Architecture of CTGTesterCCI<br />
<strong>CICS</strong> TG<br />
<strong>CICS</strong> ECI<br />
resource<br />
adapter<br />
<strong>CICS</strong> TS<br />
C<br />
O<br />
M<br />
M<br />
A<br />
R<br />
E<br />
A<br />
z/OS<br />
<strong>CICS</strong><br />
program<br />
Appendix B. Sample applications 355
Application overview<br />
<strong>The</strong> following is the sequence of events that occur when the end user interacts<br />
with the application through a Web browser, illustrated in Figure B-19:<br />
1. <strong>The</strong> end user opens the Web application using a Web browser.<br />
2. <strong>The</strong> end user clicks a button on a Web page that submits a form to the servlet.<br />
3. <strong>The</strong> servlet receives the request for action and calls a method on the remote<br />
interface of the CTGTesterCCI session bean.<br />
4. <strong>The</strong> session bean uses the <strong>CICS</strong> ECI resource adapter to call the <strong>CICS</strong><br />
program.<br />
5. <strong>The</strong> <strong>CICS</strong> ECI resource adapter returns data from the <strong>CICS</strong> program to the<br />
session bean.<br />
6. <strong>The</strong> session bean returns the output data from the <strong>CICS</strong> program back to the<br />
servlet.<br />
7. <strong>The</strong> servlet forwards to a JSP, which displays the response to the end user.<br />
356 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-19 Flow of CTGTesterCCI<br />
CTGTesterECI<br />
1 welcome<br />
JSP<br />
2<br />
servlet<br />
CTGTesterECIServlet<br />
3<br />
6<br />
Web browser<br />
7<br />
success<br />
results<br />
JSP<br />
exception<br />
exception<br />
JSP<br />
session bean<br />
CTGTesterCCI<br />
<strong>CICS</strong><br />
resource<br />
adapter<br />
We developed and tested our application using <strong>WebSphere</strong> Studio Application<br />
Developer Integration Edition. We chose this environment instead of VisualAge<br />
for Java V4, because it supports editing of EJB 1.1 deployment descriptors, and<br />
can generate deployment code suitable for the <strong>WebSphere</strong> Application Server<br />
V4 container. It can export deployed application files directly, ready for installation<br />
into <strong>WebSphere</strong> Application Server V4. <strong>The</strong>se application files include J2EE<br />
enterprise archives (EAR files), Web application archives (WAR files), and EJB<br />
1.1 deployed JAR files. Application Developer also provides a suitable local test<br />
environment for testing your application components because it uses<br />
<strong>WebSphere</strong> Application Server Advanced Single Server V4.<br />
5<br />
4
As an alternative to using Application Developer, you can use VisualAge for Java<br />
in combination with the Application Assembly Tool (AAT) to produce deployable<br />
enterprise beans for <strong>WebSphere</strong> Application Server Advanced Edition.<br />
HTML form<br />
<strong>The</strong> HTML form is in index.jsp in the CTGTesterCCIWeb enterprise application<br />
project in <strong>WebSphere</strong> Studio. It is stored under the webApplication folder. <strong>The</strong><br />
HTML form consists of a number of fields where data for the application is<br />
entered. Some of the fields are not used if a managed connection factory is being<br />
used. <strong>The</strong>se are marked as unmanaged options in the HTML. <strong>The</strong> fields on the<br />
form are shown in Table B-2.<br />
Table B-2 Fields in the HTML form, CTGTesterCCI<br />
Field Name Purpose<br />
Managed managed Whether to use a managed connection<br />
factory or instantiate one directly<br />
<strong>CICS</strong> program name funcName Program on <strong>CICS</strong> to call<br />
COMMAREA input commareaInput COMMAREA data<br />
COMMAREA length commareaLength Length of the COMMAREA<br />
Encoding encoding Encoding to convert data to before<br />
sending and after receiving<br />
Iterations iterations <strong>The</strong> number of times to run the <strong>CICS</strong><br />
program<br />
Application trace appTrace Whether to enable <strong>CICS</strong> TG Java client<br />
trace<br />
Unmanaged options<br />
<strong>Gateway</strong> daemon URL gatewayURL URL of the <strong>Gateway</strong> daemon to use<br />
<strong>Gateway</strong> daemon port gatewayPort Port of the <strong>Gateway</strong> daemon<br />
<strong>CICS</strong> Server server Server name as defined to the Client<br />
daemon to use<br />
User ID username Username to flow on the ECI request<br />
Password password Password to flow on the ECI request<br />
Mirror transaction mirror <strong>Transaction</strong> to use on the <strong>CICS</strong> server<br />
CCI Trace level trace <strong>The</strong> level of CCI trace<br />
Appendix B. Sample applications 357
358 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> action of the HTML form is to call the servlet CTGTesterCCIServlet, using<br />
the POST method to send the parameters. This means that the parameters are<br />
sent in the HTTP request body. Because an HTTP POST request is intended to<br />
affect some sort of change on the Web server, a Web browser will prompt to<br />
resubmit the data if the user clicks Refresh on the results page. Conversely, the<br />
GET method could be used, which sends the parameters on the HTTP request<br />
URL. Because HTTP GETs are not intended to alter anything on the Web server,<br />
the results page of such a request can be refreshed without a prompt being<br />
shown.<br />
Servlet<br />
In the following section, we describe the major code sections in the<br />
CTGTesterCCIServlet servlet and how the servlet functions. <strong>The</strong> servlet is stored<br />
in the CTGTesterCCIWeb enterprise application project in <strong>WebSphere</strong> Studio.<br />
<strong>The</strong> servlet is defined to be in the package itso.cics.j2ee.eci.testercci. It is<br />
stored in the folder source/itso/cics/j2ee/eci/testercci in <strong>WebSphere</strong> Studio.<br />
Figure B-20 shows the import statements used to give us access to the Java<br />
packages used in the servlet. <strong>The</strong> import of javax.servlet and<br />
javax.servlet.http give us access to the Java Servlet API set of classes; the<br />
import of javax.naming gives us access to the JNDI library; the import of<br />
javax.rmi gives us access to the Java Remote Method Invocation library; the<br />
imports of java.io, java.util, and java.text are required for utility classes<br />
used in the servlet; the import of com.ibm.ctg.client provides the <strong>CICS</strong> TG<br />
Java class library.<br />
import javax.servlet.http.*;<br />
import javax.servlet.*;<br />
import javax.naming.*;<br />
import javax.rmi.*;<br />
import java.util.Date;<br />
import java.util.StringTokenizer;<br />
import java.io.UnsupportedEncodingException;<br />
import java.io.IOException;<br />
import java.text.DateFormat;<br />
import java.text.SimpleDateFormat;<br />
Figure B-20 Import statements<br />
Figure B-21 shows the opening code section of our servlet. We extend the<br />
HTTPServlet class to make our class an HTTP protocol servlet. Following this we<br />
then first declare our instance variables and objects, which are variables that we<br />
wish to share across all threads running within the servlet.
public class CTGTesterCCIServlet extends HttpServlet<br />
{<br />
// date loaded into application server<br />
private Date loadedDate;<br />
// jsp names<br />
private static final String jspResults = "results.jsp";<br />
private static final String jspError = "error.jsp";<br />
// names of attributes set in the request<br />
private static final String attrResultsString = "results";<br />
private static final String attrDefaultResultsString = "defaultResults";<br />
private static final String attrHexResultsString = "hexResults";<br />
private static final String attrErrorException = "errorException";<br />
private static final String attrErrorMessages = "errorMessages";<br />
private static final String attrLastLoaded = "lastLoaded";<br />
private static final String attrCicsProgram = "funcName";<br />
private static final String attr<strong>Gateway</strong>URL = "gatewayURL";<br />
private static final String attr<strong>Gateway</strong>Port = "gatewayPort";<br />
private static final String attrServer = "server";<br />
private static final String attrUsername = "username";<br />
private static final String attrHttpUsername = "httpusername";<br />
private static final String attrMirror = "mirror";<br />
private static final String attrCommareaLength = "commareaLength";<br />
private static final String attrCommarea = "commareaInput";<br />
private static final String attrManaged = "managed";<br />
private static final String attrEncoding = "encoding";<br />
private static final String attrTrace = "trace";<br />
private static final String attrIterations = "iterations";<br />
private static final String attrAppTrace = "appTrace";<br />
Figure B-21 Class variables<br />
We declare the names of the JSPs we use to display the results of the program,<br />
as well as the attribute names we use to pass the results to the JSPs.<br />
<strong>The</strong> Servlet interface class contains the init(), destroy(), and service()<br />
methods. <strong>The</strong> first of these methods we define is our init() method<br />
(Figure B-22 on page 360). <strong>The</strong> purpose of the init() method is to perform the<br />
necessary servlet initialization. It is guaranteed to be the first method to be called<br />
on any servlet instance. <strong>The</strong> servlet implemented may choose to override this<br />
method to perform custom servlet initialization. In our init() method, we<br />
instantiate our loadedDate object so as to set the time of loading and also call the<br />
superclass init() method to ensure the proper HttpServlet initialization occurs.<br />
Appendix B. Sample applications 359
Figure B-22 init() method<br />
360 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
public void init(ServletConfig sc) throws ServletException<br />
{<br />
// call HttpServlet init method<br />
super.init(sc);<br />
}<br />
// Set time of loading<br />
loadedDate = new Date();<br />
<strong>The</strong> Web application server invokes the servlet service() method upon receiving<br />
an HTTP request targeted towards that servlet. This method in turn invokes the<br />
appropriate HTTP-specific method based on the type of request.<br />
HttpServletRequest is an input parameter and contains the HTTP protocol<br />
specified header information. HttpServletResponse is an output parameter and<br />
contains an HTTP protocol-specific header and can return HTML data to the<br />
client. In our servlet we defined a doGet() and doPost() method so the servlet<br />
can handle HTTP GET and POST requests. Both methods are identical; they call<br />
the common processRequest() method, which deals with GET and POST<br />
requests in the same way.<br />
<strong>The</strong> initial section of the processRequest() method is shown in Figure B-23 on<br />
page 361.
public void processRequest(HttpServletRequest request,<br />
HttpServletResponse response) throws IOException, ServletException<br />
{<br />
// input parameters<br />
String funcName = null;<br />
String encoding = null;<br />
...<br />
String appTrace = null;<br />
...<br />
// output messages buffer<br />
String messages = "";<br />
...<br />
...<br />
// the jsp to forward to for displaying the results<br />
String jsp = jspResults;<br />
// values for strings to be converted into<br />
int commareaLengthInt = 0;<br />
boolean appTraceBool = false;<br />
// retrieve HTTP request parameters<br />
funcName = request.getParameter("funcName");<br />
encoding = request.getParameter("encoding");<br />
appTrace = request.getParameter("appTrace");<br />
Figure B-23 Getting HTML form input<br />
First of all we set the automatic variable jsp to the name of the JSP we will<br />
forward to at the end of servlet processing. Initially we set this to the name of the<br />
results JSP. <strong>The</strong>n we retrieve the common parameters of the HTML form into<br />
automatic String variables.<br />
In the next section of code, partially shown in Figure B-24 on page 362, we<br />
perform some processing on these parameters. We convert the integer<br />
parameters from Strings into int primitives, setting an error message if the<br />
parameters cannot be converted. We convert the parameters with a yes or no<br />
selection into boolean primitives. We also retrieve the parameters for an<br />
unmanaged connection if the managed parameter is set to no.<br />
Appendix B. Sample applications 361
...<br />
...<br />
...<br />
...<br />
362 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
// convert managed type<br />
if(managed.equals("yes"))<br />
{<br />
managedBool = true;<br />
}<br />
// convert app trace type<br />
if(appTrace.equals("on"))<br />
{<br />
appTraceBool = true;<br />
}<br />
// set common attributes in the request<br />
request.setAttribute(attrCicsProgram, funcName);<br />
request.setAttribute(attrAppTrace, appTrace);<br />
// set last loaded date in the request<br />
request.setAttribute(attrLastLoaded, loadedDate.toString());<br />
// get unmanaged parameters if needed<br />
if(!managedBool)<br />
{<br />
username = request.getParameter("username");<br />
}<br />
trace = request.getParameter("trace");<br />
// set unmanaged request details<br />
request.setAttribute(attrUsername, username);<br />
// set error messages in the request<br />
request.setAttribute(attrErrorMessages, messages);<br />
Figure B-24 Processing HTML form input and getting unmanaged input<br />
We also use the mechanism for passing data from the servlet into our JSPs to<br />
pass the values of the input parameters to the JSPs. This is done by setting<br />
attributes in the HTTPRequest object associated with the request. Each attribute<br />
has a name and a String value, which can be retrieved in the JSP called at the<br />
end of the servlet processing.<br />
Next we ascertain if a user ID and password are contained in the HTTP basic<br />
authentication Header. This will be the case if the Web server has challenged the<br />
Web browser to enter a user ID and password. This user ID and password is<br />
flowed in every HTTP request, and encoded using the Base64 algorithm. This
encoded string can be obtained by invoking the getHeader() method on the<br />
HttpServletRequest object. <strong>The</strong> encoded string must then be passed to a<br />
StringTokenizer object, and decoded using an appropriate decode method. We<br />
utilized a separate utility class, Base64, for this purpose. This supplies the<br />
decode and encode methods and is packaged with CTGTesterCCI.<br />
For further details on HTTP basic authentication and Base64 encoding, refer to<br />
the redbook Securing Web Access to <strong>CICS</strong>, SG24-5756.<br />
<strong>The</strong> user ID and password from HTTP basic authentication are sent to the JSP<br />
for output. However, they are not flowed to <strong>CICS</strong>. <strong>The</strong> code for doing this if using<br />
an unmanaged connection factory is included in the source, but commented out.<br />
<strong>The</strong> next section of code performs a JNDI lookup for our session bean, shown in<br />
Figure B-25.<br />
// lookup our session bean<br />
Context ic = new InitialContext();<br />
Object or = ic.lookup("java:comp/env/ejb/CTGTesterCCI");<br />
CTGTesterCCI tester = null;<br />
if (or != null)<br />
{<br />
CTGTesterCCIHome home = (CTGTesterCCIHome)PortableRemoteObject.narrow(or,<br />
CTGTesterCCIHome.class);<br />
tester = home.create();<br />
}<br />
Figure B-25 JNDI lookup and remote method invocation<br />
We get a JNDI InitialContext and then perform a lookup using the JNDI name<br />
java:comp/env/ejb/CTGTesterCCI. This is a local JNDI name that will be mapped<br />
to the actual JNDI name of the session bean at deploy time. To indicate we want<br />
such a mapping, we create an EJB reference in the Web deployment descriptor<br />
with the name ejb/CTGTesterCCI.<br />
Once we have looked up the object, we get the home interface of our session<br />
bean using the narrow() method call of the RMI class PortableRemoteObject.<br />
This method performs any operations necessary to allow us to invoke the bean’s<br />
create() method and returns a reference to the session bean home interface.<br />
We then call the create() method on this home interface to get a reference to the<br />
remote interface we will use to invoke our business logic.<br />
Next, we execute our business logic on the session bean and collect the results,<br />
as shown in Figure B-26 on page 364.<br />
Appendix B. Sample applications 363
364 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
ResultsBean resultsB = tester.execute(funcName, encoding, commareaInput,<br />
commareaLengthInt, username, password, managedBool, gatewayURL,<br />
gatewayDaemonPort, cicsServer, mirror, traceInt, iterationsInt,<br />
appTraceBool);<br />
String results = resultsB.getResultsString();<br />
// set result string attribute<br />
request.setAttribute(attrResultsString, results);<br />
// get byte data from results<br />
byte[] data = resultsB.getResultsBytes();<br />
// set result string in default encoding attribute<br />
request.setAttribute(attrDefaultResultsString, new String(data));<br />
// set request attribute for hex data<br />
request.setAttribute(attrHexResultsString, byteArrayToHex(data));<br />
Figure B-26 Executing the session bean business logic<br />
<strong>The</strong> execute() method takes all of the HTML form parameters as input and<br />
returns a ResultsBean object. This is a data bean class that encapsulates a<br />
String object and a byte array, and provides methods to get and set both. It is<br />
shown in Figure B-27 on page 365.<br />
If the session bean does not successfully complete the <strong>CICS</strong> request, then it will<br />
throw an exception, so the execute() method call is inside a try catch block.<br />
Assuming the execute() method ran successfully, we set a request attribute for<br />
the COMMAREA converted into a String in the encoding specified in the HTML<br />
form. We also set an attribute with the hexadecimal representation of the<br />
COMMAREA, to aid data conversion debugging, and an attribute with the<br />
COMMAREA converted into a String using the JVM default encoding.
package itso.cics.eci.j2ee.testercci;<br />
import java.io.Serializable;<br />
/**<br />
* Data Bean which stores a results string and a byte array representing the<br />
data which created the string.<br />
* Initially has an empty string and zero length byte array.<br />
*/<br />
public class ResultsBean implements Serializable<br />
{<br />
private String resultsString = "";<br />
private byte[] resultsBytes = new byte[0];<br />
}<br />
public void setResultsString(String data)<br />
{<br />
resultsString = data;<br />
}<br />
public String getResultsString()<br />
{<br />
return resultsString;<br />
}<br />
public void setResultsBytes(byte[] data)<br />
{<br />
resultsBytes = data;<br />
}<br />
public byte[] getResultsBytes()<br />
{<br />
return resultsBytes;<br />
}<br />
Figure B-27 ResultsBean class<br />
<strong>The</strong> next section of code handles any exceptions that occur in the execute()<br />
method and is shown in Figure B-28 on page 366. To deal with an exception, we<br />
build a message consisting of a timestamp of when it was caught, and the String<br />
representation of the exception that occurred. We then set a request attribute<br />
containing this String and specify we want to forward to the JSP that displays<br />
exceptions (exception.jsp).<br />
Appendix B. Sample applications 365
366 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
catch (Throwable t)<br />
{<br />
// exception occured, set exception message in request with timestamp<br />
String nowStr = "";<br />
try<br />
{<br />
SimpleDateFormat sdf = (SimpleDateFormat)DateFormat.getTimeInstance();<br />
sdf.applyPattern("MM/dd/yy HH:mm:ss:SSS");<br />
nowStr = sdf.format(new Date());<br />
}<br />
catch(ClassCastException ex2)<br />
{<br />
// no SimpleDateFormat instance for this locale<br />
}<br />
// format with Date toString<br />
nowStr = (new Date()).toString();<br />
}<br />
request.setAttribute(attrErrorException, nowStr + " : " + t);<br />
// change jsp to use to the error jsp<br />
jsp = jspError;<br />
Figure B-28 Handling exceptions in the execute() method<br />
<strong>The</strong> final section of code in the processRequest() method forwards to the<br />
appropriate JSP, set in the instance variable jsp (Figure B-29).<br />
finally<br />
{<br />
// route to jsp<br />
ServletContext servletContext = getServletContext();<br />
RequestDispatcher dispatcher = servletContext.getRequestDispatcher(jsp);<br />
dispatcher.forward(request, response);<br />
}<br />
Figure B-29 Routing to a JSP<br />
We get the ServletContext object that represents the current request and<br />
response. We then get the RequestDispatcher object for the selected JSP from<br />
the ServletContext. <strong>The</strong> forward() method is called on the RequestDispatcher,<br />
passing in the HttpRequest and HttpResponse. This causes the request to be<br />
forwarded to the JSP, with the objects representing details of the session. <strong>The</strong><br />
JSP will then generate the response HTML.
<strong>The</strong> other method in our servlet is byteArrayToHex(), which takes a byte array<br />
and converts it to a String showing the array data in a hexadecimal form.<br />
Session bean<br />
In the following section, we describe the major code sections in the<br />
CTGTesterCCIBean session bean implementation class and how the bean<br />
functions. <strong>The</strong> session bean is stored in the CTGTesterCCIEJB enterprise<br />
application package in <strong>WebSphere</strong> Studio.<br />
<strong>The</strong> bean consists of three Java classes that define the Home interface<br />
(CTGTesterCCIHome), the Remote interface (CTGTesterCCI) and the bean<br />
implementation (CTGTesterCCIBean). A bean’s home interface defines methods<br />
for locating, creating, and removing instances of beans. A bean’s remote<br />
interface provides the client’s view of the bean, listing the business methods<br />
available on the enterprise bean. <strong>The</strong> bean implementation provides the<br />
implementation of the business logic, and other methods required by the type of<br />
enterprise bean being created.<br />
<strong>The</strong>re are also some EJB stubs and ties in the enterprise application that are<br />
created by the RMI compiler using the menu Generate -> Deploy and RMIC<br />
code in <strong>WebSphere</strong> Studio. <strong>The</strong>se classes are necessary to allow deployment<br />
into <strong>WebSphere</strong> Application Server and testing in the local <strong>WebSphere</strong> Studio<br />
test environment.<br />
<strong>The</strong> bean is defined to be in the package itso.cics.j2ee.eci.testercci. It is<br />
stored in the folder ejbModule/itso/cics/j2ee/eci/testercci in <strong>WebSphere</strong> Studio.<br />
<strong>The</strong> bean implementation is in CTGTesterCCIBean, which we now examine.<br />
Figure B-30 shows the import statements used to give us access to the Java<br />
packages used in the bean. <strong>The</strong> import of com.ibm.connector2.cics give us<br />
access to the <strong>CICS</strong> resource adapter classes; javax.resource.cci gives us<br />
access to the Common Connector Interface library; the import of javax.resource<br />
gives us access to the Java resource library; the javax.ejb gives us access to<br />
the EJB classes; javax.naming.InitialContext is the JNDI naming context<br />
object needed to perform a lookup of a connection factory; the import of<br />
com.ibm.ctg.client.T provides the <strong>CICS</strong> TG Java client trace class.<br />
import com.ibm.connector2.cics.*;<br />
import com.ibm.ctg.client.T;<br />
import javax.resource.cci.*;<br />
import javax.resource.*;<br />
import javax.naming.InitialContext;<br />
import javax.ejb.*;<br />
import java.io.PrintWriter;<br />
Figure B-30 Import statements<br />
Appendix B. Sample applications 367
368 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-31 shows the opening code section of our bean. We implement the<br />
SessionBean interface to make our class a session bean. Following this, we first<br />
declare our instance variables and objects, which are variables that we wish to<br />
share across all threads running within the bean.<br />
public class CTGTesterCCIBean implements SessionBean<br />
{<br />
private SessionContext mySessionCtx;<br />
transient private Connection eciConn;<br />
transient private Interaction eciInt;<br />
transient private ECIInteractionSpec eSpec;<br />
Figure B-31 Class variables<br />
We declare a SessionContext for use in the session bean management methods.<br />
We declare a Connection, Interaction and ECIInteractionSpec for use with the<br />
<strong>CICS</strong> ECI resource adapter.<br />
<strong>The</strong> SessionBean interface class contains the setSessionContext(),<br />
ejbActivate(), ejbPassivate() and ejbRemove() methods. We provide empty<br />
implementations of ejbActivate() and ejbPassivate(). We store a reference to<br />
the SessionContext in setSessionContext(). We define a method ejbCreate(),<br />
which is called when the bean is created, shown in Figure B-32. In this method<br />
we create an ECIInteractionSpec object, which we use when executing the<br />
<strong>CICS</strong> request.<br />
public void ejbCreate() throws CreateException<br />
{<br />
// create an Interaction spec to work with, This is specific to ECI<br />
eSpec = new ECIInteractionSpec();<br />
}<br />
Figure B-32 ejbCreate() method<br />
<strong>The</strong> business logic of our session bean is contained in the method execute().<br />
This is called by clients and takes details about the ECI request to execute as<br />
parameters. <strong>The</strong> initial section of the execute() method is shown in Figure B-33<br />
on page 369.
public ResultsBean execute(<br />
String funcName,<br />
String encoding,<br />
String commarea,<br />
int commareaLength,<br />
String username,<br />
String password,<br />
boolean managed,<br />
String gatewayURL,<br />
int gatewayPort,<br />
String cicsServer,<br />
String mirror,<br />
int trace,<br />
int iterations,<br />
boolean appTrace)<br />
throws ResourceException, Exception<br />
{<br />
JavaStringRecord jsr = null;<br />
Figure B-33 Initial part of execute() method<br />
We create a JavaStringRecord object here. This is based upon a sample shipped<br />
with the <strong>CICS</strong> TG, modified to allow access to the bytes that make up the<br />
COMMAREA data. We added the method getData() to JavaStringRecord to<br />
return the bytes that make up the COMMAREA data.<br />
<strong>The</strong> next piece of code in Figure B-34 on page 370 sets the instance variables<br />
eciConn and eciInt, a Connection and Interaction, from either a managed or<br />
unmanaged connection factory, depending on the value of managed. This is done<br />
by the getConnection() method for a managed connection, and the<br />
getNonManagedConnection() method for unmanaged.<br />
Appendix B. Sample applications 369
if (managed)<br />
{<br />
getConnection();<br />
}<br />
else<br />
{<br />
getNonManagedConnection(<br />
username,<br />
password,<br />
gatewayURL,<br />
gatewayPort,<br />
cicsServer,<br />
mirror,<br />
trace);<br />
}<br />
370 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-34 getting the connection factory<br />
After this, we enable <strong>CICS</strong> TG Java client trace if the appTrace parameter is true.<br />
<strong>The</strong> next section of code sets up the ECIInteractionSpec object eSpec, shown in<br />
Figure B-35. This encapsulates the <strong>CICS</strong> program name, COMMAREA length,<br />
and details of how to flow the request. We specify SYNC_SEND_RECEIVE for a<br />
synchronous request.<br />
// setup the interactionSpec.<br />
eSpec.setFunctionName(funcName);<br />
eSpec.setCommareaLength(commareaLength);<br />
// set reply length to same size as commarea<br />
eSpec.setReplyLength(commareaLength);<br />
eSpec.setInteractionVerb(ECIInteractionSpec.SYNC_SEND_RECEIVE);<br />
Figure B-35 Setting the ECI interaction spec<br />
We then execute the <strong>CICS</strong> program a number of times, specified with the<br />
iterations parameter. <strong>The</strong> section of code for one execution is shown in<br />
Figure B-36 on page 371.
create a record for use<br />
jsr = new JavaStringRecord(encoding);<br />
// set input data if we have any<br />
if (commareaLength > 0)<br />
{<br />
jsr.setText(commarea);<br />
}<br />
// make the call<br />
try<br />
{<br />
eciInt.execute(eSpec, jsr, jsr);<br />
}<br />
catch (ResourceException e)<br />
{<br />
// output the stacktrace and re-throw it back to the client<br />
e.printStackTrace();<br />
dropConnection();<br />
throw e;<br />
}<br />
Figure B-36 Executing an ECI request<br />
We create a JavaStringRecord object to encapsulate the COMMAREA data,<br />
both input and output, and set our input data. We then use the Interaction we<br />
got from the connection factory to execute the request by calling its execute()<br />
method. We pass the ECIInteractionSpec object eSpec, and the<br />
JavaStringRecord object jsr as input and output. If an exception occurs in the<br />
Interaction execute() method, we catch it, print the stack trace to the<br />
application server, drop our <strong>CICS</strong> connection, and rethrow the exception back to<br />
the remote client.<br />
Finally, we close our <strong>CICS</strong> connection, and create and set our response<br />
ResultsBean object, as shown in Figure B-37. We use the text and the byte array<br />
from the JavaStringRecord and return the ResultsBean.<br />
dropConnection();<br />
// return the commarea from the last executed program<br />
ResultsBean resultsB = new ResultsBean();<br />
resultsB.setResultsString(jsr.getText());<br />
resultsB.setResultsBytes(jsr.getData());<br />
return resultsB;<br />
Figure B-37 Returning the results<br />
Appendix B. Sample applications 371
372 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> getConnection() method of our session bean gets a managed connection to<br />
<strong>CICS</strong> using a connection factory published in the JNDI directory. <strong>The</strong> first section<br />
of the code is shown in Figure B-38.<br />
private void getConnection() throws Exception<br />
{<br />
ConnectionFactory cf = null;<br />
try<br />
{<br />
javax.naming.Context ic = new InitialContext();<br />
cf = (ConnectionFactory) ic.lookup("java:comp/env/ECI");<br />
}<br />
catch (Exception e)<br />
{<br />
e.printStackTrace();<br />
throw new Exception(<br />
"Lookup for java:comp/env/ECI failed. Exception: " + e.toString());<br />
}<br />
if (cf == null)<br />
{<br />
throw new Exception("Lookup for java:comp/env/ECI resulted in a null<br />
reference");<br />
}<br />
Figure B-38 Getting a managed <strong>CICS</strong> connection<br />
We create an InitialContext object and use it to look up a ConnectionFactory<br />
using the JNDI name java:comp/env/ECI. This is a local JNDI name that will be<br />
mapped to the actual JNDI name of the connection factory at deploy time. To<br />
indicate we want such a mapping, we create a resource reference in the EJB<br />
deployment descriptor with the name ECI.<br />
If an exception occurs, we print the stack trace to the application server and<br />
throw a new exception detailing what happened, along with the original<br />
exception. If we get a null back from the lookup, we throw an exception<br />
indicating what happened.<br />
<strong>The</strong> next section of code sets the instance variables that reference a Connection<br />
and Interaction, shown in Figure B-39 on page 373.
try<br />
{<br />
eciConn = (Connection) cf.getConnection();<br />
}<br />
catch (Exception e)<br />
{<br />
e.printStackTrace();<br />
throw new Exception(<br />
"failed to get connection from ECI Factory. Exception: "<br />
+ e.toString());<br />
}<br />
try<br />
{<br />
eciInt = (Interaction) eciConn.createInteraction();<br />
}<br />
catch (Exception e)<br />
{<br />
e.printStackTrace();<br />
throw new Exception(<br />
"failed to get interaction from ECI Connection. Exception: "<br />
+ e.toString());<br />
}<br />
Figure B-39 Getting a Connection and Interaction<br />
We use the ConnectionFactory method getConnection() to get our Connection.<br />
We then use the Connection method createInteraction() to get an<br />
Interaction that can be used to flow a request to <strong>CICS</strong>. If either method call<br />
throws an exception, we print the stack trace to the application server and then<br />
throw a new exception explaining what happened, with the original exception<br />
details.<br />
<strong>The</strong> next method in our session bean is getNonManagedConnection(). This gets a<br />
connection to <strong>CICS</strong> that is not managed by a connection factory installed into the<br />
application server. <strong>The</strong> method instantiates the necessary classes directly and<br />
sets some details of the ECI request directly, such as the <strong>CICS</strong> server name. <strong>The</strong><br />
first section of the code is shown in Figure B-40 on page 374.<br />
Appendix B. Sample applications 373
374 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
try<br />
{<br />
ECIManagedConnectionFactory mcf = new ECIManagedConnectionFactory();<br />
// set details<br />
mcf.setConnectionURL(gatewayURL);<br />
mcf.setServerName(cicsServer);<br />
mcf.setPortNumber(Integer.toString(gatewayPort));<br />
if (username.equals("") == false)<br />
{<br />
mcf.setUserName(username);<br />
}<br />
if (password.equals("") == false)<br />
{<br />
mcf.setPassword(password);<br />
}<br />
if (mirror.equals("") == false)<br />
{<br />
mcf.setTranName(mirror);<br />
}<br />
Figure B-40 Instantiating an ECIManagedConnectionFactory directly<br />
We use the various setter methods on ECIManagedConnectionFactory to set the<br />
<strong>Gateway</strong> daemon URL, <strong>Gateway</strong> daemon port, <strong>CICS</strong> server, <strong>CICS</strong> user ID, <strong>CICS</strong><br />
password and <strong>CICS</strong> transaction.<br />
In the next section of code, shown in Figure B-41 on page 375, we set the <strong>CICS</strong><br />
ECI resource adapter trace level and set trace output to go to standard error. We<br />
use the createConnectionFactory() method of ECIManagedConnectionFactory to<br />
create a ConnectionFactory, then we get a Connection and Interaction using<br />
the same methods as for a managed connection factory.
set CCI trace<br />
switch (trace)<br />
{<br />
case 0 :<br />
mcf.setTraceLevel(new Integer(mcf.RAS_TRACE_OFF));<br />
break;<br />
case 1 :<br />
mcf.setTraceLevel(new Integer(mcf.RAS_TRACE_ERROR_EXCEPTION));<br />
break;<br />
case 2 :<br />
mcf.setTraceLevel(new Integer(mcf.RAS_TRACE_ENTRY_EXIT));<br />
break;<br />
case 3 :<br />
mcf.setTraceLevel(new Integer(mcf.RAS_TRACE_INTERNAL));<br />
break;<br />
default :<br />
}<br />
// set trace output to stderr<br />
mcf.setLogWriter(new PrintWriter(System.err));<br />
ConnectionFactory cf = (ConnectionFactory) mcf.createConnectionFactory();<br />
eciConn = cf.getConnection();<br />
eciInt = eciConn.createInteraction();<br />
Figure B-41 Setting CCI trace and getting a Connection and Interaction<br />
<strong>The</strong> final method in our session bean is dropConnection(), which closes our<br />
connection to <strong>CICS</strong>. As shown in Figure B-42 on page 376 we call the close()<br />
method on the Connection and Interaction, then set the references to null.<br />
Appendix B. Sample applications 375
376 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
private void dropConnection()<br />
{<br />
// tidy up the interaction and connection and set our references to<br />
// null.<br />
try<br />
{<br />
eciInt.close();<br />
eciConn.close();<br />
}<br />
catch (Exception e)<br />
{<br />
e.printStackTrace();<br />
}<br />
eciInt = null;<br />
eciConn = null;<br />
}<br />
Figure B-42 Closing the connection to <strong>CICS</strong><br />
JSPs<br />
<strong>The</strong> application uses two JSPs to format and display the results. One of two<br />
scenarios can occur; the request completes successfully, or an exception occurs<br />
inside the <strong>CICS</strong> ECI resource adapter or our code. <strong>The</strong> JSPs are stored in the<br />
CTGTesterCCIWeb enterprise application project in <strong>WebSphere</strong> Studio, under<br />
the webApplication folder.<br />
results.jsp<br />
<strong>The</strong> JSP results.jsp processes successful completion of a request. <strong>The</strong> JSP<br />
defines the title of the HTML page and the style sheet used to format the HTML<br />
in the header. <strong>The</strong> JSP defines the JavaBeans components that the page uses to<br />
format and display the results (Figure B-43).<br />
<br />
<br />
<br />
<br />
<br />
Figure B-43 JavaBeans components used by results.jsp<br />
<strong>The</strong>se components are all in the request scope and are all String objects. <strong>The</strong>ir<br />
IDs correspond to the names of the attributes we set in the HttpRequest in our<br />
servlet. <strong>The</strong>y contain the result of the <strong>CICS</strong> request made by the servlet.
<strong>The</strong> page then includes our common JSP header, which displays the information<br />
specified in the initial form, such as trace level and number of iterations. <strong>The</strong> rest<br />
of the page then outputs the values of the request attributes using the scriptlet<br />
format , shown in Figure B-44. In our application, the<br />
JavaBean component encoding contains the encoding used to convert the input<br />
COMMAREA into bytes, and is inserted into the HTML output with the JSP<br />
scriplet .<br />
<br />
Results COMMAREA <br />
Input:<br />
Output using :<br />
Output using default encoding: <br />
Output in HEX: <br />
<br />
Figure B-44 Outputting the results into the HTML<br />
<strong>The</strong> results page outputs the COMMAREA data converted to a String using the<br />
JVM default encoding, the encoding specified in the form and in a hexadecimal<br />
representation.<br />
error.jsp<br />
<strong>The</strong> JSP error.jsp is used when an error occurs inside the <strong>CICS</strong> ECI resource<br />
adapter or our code, resulting in an exception being thrown. It does not display<br />
the output COMMAREA. Instead, it displays the contents of the exception that<br />
occurred and any errors found in the processing of the form parameters by the<br />
servlet.<br />
Application XML<br />
<strong>The</strong> XML that describes the enterprise application can be examined from within<br />
<strong>WebSphere</strong> Studio.<br />
Web deployment descriptor<br />
To view the Web application XML, perform the following steps from <strong>WebSphere</strong><br />
Studio:<br />
1. From J2EE Perspective Navigator, right-click CTGTesterCCIWeb and select<br />
Edit Deployment Descriptor.<br />
This displays the Web deployment descriptor editor's General tab. Click the<br />
Servlets tab to show the Servlets pane. Click CTGTesterCCIServlet in the<br />
Servlets list (Figure B-45 on page 378).<br />
Appendix B. Sample applications 377
378 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-45 CTGTesterCCI Web deployment descriptor servlets<br />
We can see that the Servlet class is<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIServlet, the class we have<br />
outlined in the previous section. <strong>The</strong> display name is CTGTesterCCIServlet. <strong>The</strong><br />
URL mappings section has one entry; CTGTesterCCIServlet. This means that a<br />
URL of CTGTesterCCIServlet relative to the web application root will map to this<br />
servlet. Because of the Servlet class entry, this URL will invoke the class<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIServlet.<br />
<strong>The</strong>re is nothing of note on the Security or Environment tabs.<br />
Click References to show the References pane, as shown in Figure B-46 on<br />
page 379.
Figure B-46 CTGTesterCCI Web deployment descriptor references<br />
As shown, there is an EJB reference defined in the Web deployment descriptor.<br />
<strong>The</strong> EJB Reference is ejb/CTGTesterCCI, the JNDI name we used in our servlet<br />
to look up our session bean. <strong>The</strong> expected Java class type of the referenced<br />
bean is Session, because our bean is a session bean. <strong>The</strong> Home field contains<br />
the fully qualified name of the enterprise bean’s home interface, which is<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIHome. This class is defined in the<br />
CTGTesterCCIEJB project. <strong>The</strong> Remote field contains the fully qualified name of<br />
the enterprise bean’s remote interface, which is<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCI. Again this class is defined in the<br />
CTGTesterCCIEJB project. <strong>The</strong> JNDI Name field contains the JNDI name that<br />
the enterprise bean is expected to be bound with during runtime. We have<br />
defined a suggested name of ejbs/CTGTesterCCI here, but this can be changed<br />
at deploy time. In the case of <strong>WebSphere</strong> for z/OS, it is necessary to change this<br />
reference at deploy time because the JNDI name of our session bean will not be<br />
ejbs/CTGTesterCCI.<br />
Click the Pages tab to show the Pages pane. We have an entry index.jsp in the<br />
Welcome files pane. This means that a URL that specifies the Web application<br />
root, for example “/”, will cause the page index.jsp to be looked for in the Web<br />
Appendix B. Sample applications 379
380 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
application. We supply an index.jsp, so this page will be found and displayed in<br />
the Web browser.<br />
Click the Source tab to display the Source panel. This shows the source of the<br />
web.xml file that is generated from entries in the Web deployment descriptor<br />
editor (Figure B-47).<br />
<br />
<br />
CTGTesterCCIWeb<br />
<br />
CTGTesterCCIServlet<br />
CTGTesterCCIServlet<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIServlet<br />
<br />
<br />
CTGTesterCCIServlet<br />
CTGTesterCCIServlet<br />
<br />
<br />
index.jsp<br />
<br />
<br />
<br />
ejb/CTGTesterCCI<br />
Session<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIHome<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCI<br />
<br />
<br />
Figure B-47 CTGTesterCCI Web deployment descriptor source<br />
As can be seen, the display name of our Web application is specified with the<br />
tag. Most of the values shown in the Web deployment descriptor<br />
editor are marked up using the same name, except for the servlet mapping,<br />
which is marked up with the tag to show which servlet the<br />
corresponds to. <strong>The</strong> EJB reference is defined using the tag<br />
with an id attribute generated by the editor, in this case EjbRef_1.<br />
All the fields we defined in the editor are here except for the JNDI Name field.<br />
This is stored in the Web app binding XMI file. To view this file, from the J2EE<br />
Perspective Navigator view, expand CTGTesterCCIWeb -> webApplication ->
WEB-INF, right-click ibm-web-bnd.xmi, and select Open. Click the Source tab<br />
to see the source, shown in Figure B-48.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure B-48 ibm-web-bnd.xmi source<br />
As shown, the tag has an attribute that defines the JNDI name<br />
to use for our EJB reference. <strong>The</strong> attribute is jndiName and its value is<br />
ejbs/CTGTesterCCI, as we specified in the Web deployment descriptor editor.<br />
<strong>The</strong> tag refers to the EJB reference EjbRef_1, as defined by the<br />
editor in web.xml. This ties the JNDI name defined in the ibm-web-bnd.xmi file to<br />
the EJB reference in the web.xml file.<br />
Web context root<br />
<strong>The</strong> context root of our Web application can be viewed and edited from the Web<br />
pane in the enterprise application properties window in <strong>WebSphere</strong> Studio. To<br />
see this pane, perform the following steps:<br />
1. From the J2EE Perspective Navigator view, right-click CTGTesterCCIWeb<br />
and select Properties.<br />
2. From the Properties dialog tree, click the Web node. This will show the Web<br />
pane (Figure B-49 on page 382).<br />
Appendix B. Sample applications 381
382 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-49 CTGTesterCCIWeb properties Web pane<br />
As shown in the Context Root field, the context root for our Web application is<br />
CTGTesterCCIWeb. <strong>The</strong>refore the URL to invoke the application is<br />
/CTGTesterCCIWeb, assuming that, at deploy time, the Application Server is set to<br />
map enterprise applications directly to /. Because the servlet URL mapping is<br />
relative to the context root, the URL /CTGTesterCCIWeb/CTGTesterCCIServlet<br />
can be used to directly invoke the servlet.<br />
EJB deployment descriptor<br />
To view the EJB deployment descriptor, perform the following steps from<br />
<strong>WebSphere</strong> Studio:<br />
1. From the J2EE Perspective Navigator view, expand CTGTesterCCIEJB -><br />
ejbModules -> META-INF.<br />
2. Right-click ejb-jar.xml and select Open.<br />
<strong>The</strong> General tab shows some information about the session bean. Click the<br />
Beans tab to show the Beans pane. This shows we have one bean defined,<br />
CTGTesterCCI, and that it is a Stateless Session bean. <strong>The</strong> Bean class is<br />
CTGTesterCCIBean, the bean implementation that we outlined in “Session bean”<br />
on page 367. <strong>The</strong> Home interface is CTGTesterCCIHome and the Remote interface<br />
is CTGTesterCCI.<br />
Click the <strong>Transaction</strong> to show the <strong>Transaction</strong> pane. Expand CTGTesterCCI<br />
(Figure B-50 on page 383).
Figure B-50 CTGTesterCCI bean transaction properties<br />
As shown, all remote methods on the bean have a <strong>Transaction</strong> Type of Required.<br />
This means transactionality is required when these methods execute.<br />
Click the References tab to show the References pane. To see our connection<br />
factory reference, select the Resource references radio button and then expand<br />
CTGTesterCCI, as shown in Figure B-51.<br />
Figure B-51 CTGTesterCCI bean resource references<br />
<strong>The</strong> Resource Name is ECI. This is the local JNDI name used in our session<br />
bean to look up the <strong>CICS</strong> connection factory, as outlined in “Session bean” on<br />
Appendix B. Sample applications 383
384 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
page 367. <strong>The</strong> Type is javax.resource.cci.ConnectionFactory, a CCI<br />
connection factory. <strong>The</strong> JNDI name that this is mapped to is not defined in the<br />
EJB deployment descriptor, rather in the extension file ibm-ejb-jar-bnd.xmi.<br />
Click the Source tab to show the Source pane. <strong>The</strong> source of the EJB<br />
deployment descriptor is shown in this pane and in Figure B-52.<br />
<br />
<br />
<br />
CTGTesterCCIEJB<br />
<br />
<br />
CTGTesterCCI<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIHome<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCI<br />
itso.cics.eci.j2ee.testercci.CTGTesterCCIBean<br />
Stateless<br />
Container<br />
<br />
<strong>CICS</strong> ECI Resource adapter<br />
ECI<br />
javax.resource.cci.ConnectionFactory<br />
Container<br />
<br />
<br />
<br />
<br />
<br />
<br />
CTGTesterCCI<br />
Remote<br />
*<br />
<br />
Required<br />
<br />
<br />
<br />
Figure B-52 CTGTesterCCI EJB deployment descriptor source<br />
As shown, most of the names used in the EJB Editor are the same as the tags in<br />
the source. <strong>The</strong> resource reference is defined with the tag . Its id<br />
is ResourceRef_1.
To show what the resource reference is bound to, it is necessary to open the<br />
ibm-ejb-jar-bnd.xmi file. To view this file, from the J2EE Perspective Navigator<br />
view, expand CTGTesterCCIEJB -> ejbModule -> META-INF, right-click<br />
ibm-ejb-jar-bnd.xmi, and select Open. Click the Bindings tab to see the<br />
Bindings pane.<br />
To see the resource reference binding, from the Bindings pane expand<br />
CTGTesterCCIEJB -> CTGTesterCCI -> ResourceRef ECI and click<br />
ResourceRef ECI. As shown in Figure B-53, the resource reference ECI is<br />
bound to the JNDI name eis/<strong>CICS</strong>A. This can be changed to a deployed<br />
connection factory at deploy time. However, when testing we had to define a<br />
connection factory in the test server with the JNDI name eis/<strong>CICS</strong>A so that this<br />
reference would be valid and we could test using managed <strong>CICS</strong> connections.<br />
Figure B-53 CTGTesterCCI bean resource reference binding<br />
To see the JNDI name our session bean is bound to, from the Bindings pane click<br />
CTGTesterCCI. Figure B-54 on page 386 shows that our bean has a suggested<br />
JNDI name of ejbs/CTGTesterCCI. This is the same name we used in our Web<br />
deployment descriptor as the JNDI name of the session bean, in Figure B-46 on<br />
page 379. Because these names are the same, the servlet will look up our<br />
session bean using the same JNDI name as it was bound with. <strong>The</strong>refore the<br />
servlet will find our session bean.<br />
Appendix B. Sample applications 385
386 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure B-54 CTGTesterCCI bean JNDI name<br />
<strong>The</strong> source of the ibm-ejb-jar-bnd.xmi file can be viewed from <strong>WebSphere</strong> Studio<br />
by right-clicking ibm-ejb-jar-bnd.xmi and selecting Open With -> XML Editor.<br />
<strong>The</strong> source is shown in Figure B-55.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Figure B-55 Source of ibm-ejb-jar-bnd.xmi<br />
<strong>The</strong> tag denotes the binding for our resource reference. <strong>The</strong><br />
attribute jndiName is eis/<strong>CICS</strong>A, corresponding to what we specified in the editor.<br />
<strong>The</strong> tag shows which resource reference this binding
specifies. <strong>The</strong> href attribute points to the resource reference ResourceRef_1 in<br />
the EJB deployment descriptor.<br />
Application deployment descriptor<br />
To view the application deployment descriptor, perform the following steps from<br />
<strong>WebSphere</strong> Studio:<br />
1. From the J2EE Perspective Navigator view, expand CTGTesterCCI -><br />
META-INF.<br />
2. Right-click application.xml and select Open.<br />
<strong>The</strong> General tab shows some information about the application. Click the<br />
Modules tab to show the Modules pane. <strong>The</strong> Modules panel defines which<br />
modules make up the enterprise application and shows which URL invokes the<br />
application. Click CTGTesterCCIWeb.war (Figure B-56).<br />
Figure B-56 CTGTesterCCI application.xml modules panel<br />
As shown, the application uses the CTGTesterCCIWeb module. This is a Web<br />
application, so it is contained in a Web Archive Resource (WAR) file. When<br />
CTGTesterCCIWeb is built, <strong>WebSphere</strong> Studio builds it into a WAR file with the<br />
name of the Web application, and makes it available to the CTGTesterCCI<br />
Appendix B. Sample applications 387
388 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
application. <strong>The</strong> URI of this WAR file is therefore CTGTesterCCIWeb.war. <strong>The</strong><br />
Context root field is set to CTGTesterCCIWeb, from the CTGTesterCCIWeb<br />
application properties. <strong>The</strong> EJB module is contained in CTGTesterCCIEJB.jar.
Appendix C. Additional material<br />
This redbook refers to additional material that can be downloaded from the<br />
Internet as described below.<br />
Locating the Web material<br />
<strong>The</strong> Web material associated with this redbook is available in softcopy on the<br />
Internet from the <strong>IBM</strong> <strong>Redbooks</strong> Web server. Point your Web browser to:<br />
ftp://www.redbooks.ibm.com/redbooks/SG246133<br />
Alternatively, you can go to the <strong>IBM</strong> <strong>Redbooks</strong> Web site at:<br />
ibm.com/redbooks<br />
Select the Additional materials and open the directory that corresponds with<br />
the redbook form number, SG246133, and select the zip file for the second<br />
edition of this book, SG246133-01src.zip.<br />
System requirements for downloading the Web material<br />
<strong>The</strong> following system configuration is recommended:<br />
Hard disk space: 2 MB minimum<br />
Operating System: Windows NT or 2000<br />
Processor: Intel Pentium<br />
Memory: 64 MB<br />
C<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 389
Using the Web material<br />
<strong>The</strong> additional Web material (SG246133-01src.zip) that accompanies this<br />
redbook contains the following directory structure:<br />
► <strong>CICS</strong> directory containing the following <strong>CICS</strong> source code:<br />
– EPIPROG.TXT (as used in Chapter 6)<br />
– EPIMAPS.BMS (as used in Chapter 6)<br />
– ECIPROG2.TXT (as used in Chapter 10 and Chapter 11)<br />
► EJB_components directory containing the following EAR files for our sample<br />
Web applications as used in Chapter 10 and Chapter 11:<br />
– CTGTesterECI.ear<br />
– CTGTesterCCI.ear<br />
For further details on these applications, refer to Appendix B, “Sample<br />
applications” on page 337.<br />
► Java directory containing the Java source code tree for the following<br />
packages:<br />
– itso.cics.eci.j2ee.testercci<br />
– itso.cics.eci.testereci<br />
– itso.cics.epi<br />
<strong>The</strong> source for the itso.cics.eci.j2ee.testercci and<br />
itso.cics.eci.testereci packages are also supplied in the EAR files in the<br />
EJB_components directory. <strong>The</strong> package itso.cics.epi contains the<br />
SignonCapable.java and SignonIncapable.java applications used in<br />
conjunction with the <strong>CICS</strong> program EPIPROG in Chapter 6.<br />
► Utilities directory containing the following files:<br />
JNDIView.zip JNDI viewer zip file<br />
listJNDI.cmd DOS cmd file to start JNDIview<br />
tcp62locallu.exe TCP62 LU generation utility<br />
390 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
For details on using tcp62locallu, refer to Chapter 3. For details on using<br />
JNDIView refer to the supplied readme.jndivew.txt file.<br />
If you wish to follow the examples in this redbook, create a subdirectory called<br />
itsoctgv5 on your workstation, and unzip the contents of the Web material zip file<br />
into this folder.
Importing CTGTesterECI into <strong>WebSphere</strong> Studio<br />
<strong>WebSphere</strong> Studio Application Developer Integration Edition (<strong>WebSphere</strong><br />
Studio) includes the <strong>CICS</strong> TG resource adapters and an integrated <strong>WebSphere</strong><br />
test environment. It is possible to edit, compile and run both our sample<br />
enterprise applications from within <strong>WebSphere</strong> Studio.<br />
To import the CTGTesterECI EAR file into <strong>WebSphere</strong> Studio Application<br />
Developer Integration Edition perform the following steps:<br />
1. Select File -> Import. Select EAR file from the Select an import source<br />
window. Click Next.<br />
2. Click the Browse button next to the EAR File field. In the Open window,<br />
navigate to the file CTGTesterECI.ear, select it and click Open.<br />
3. In the field Enterprise Application project name, enter CTGTesterECI (as<br />
shown in Figure C-1). Click Finish.<br />
Figure C-1 <strong>WebSphere</strong> Studio Import window<br />
<strong>WebSphere</strong> Studio will import the contents of the EAR into two enterprise<br />
application projects: CTGTesterECI and CTGTesterECIWeb. CTGTesterECI is<br />
the enterprise project. CTGTesterECIWeb contains the Web deployment<br />
descriptor, JSPs and servlet source code. It will also contain the compiled Java<br />
code that was present in the EAR file. This is not really needed, because the<br />
application can be compiled from the source code. Perform the following steps to<br />
remove the compiled Java code:<br />
1. From the J2EE perspective Navigator, click CTGTesterECIWeb -><br />
webApplication -> WEB-INF -> lib.<br />
Appendix C. Additional material 391
392 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
2. Right-click CTGTesterECIWeb_classes.jar and select Delete from the<br />
pop-up menu.<br />
3. Click Yes on the Delete Resources window.<br />
In order to compile the application, the <strong>CICS</strong> TG Java class library ctgclient.jar<br />
has to be added to the project. This can be added from the <strong>CICS</strong> ECI resource<br />
adapter in <strong>WebSphere</strong> Studio. To add the <strong>CICS</strong> TG Java class library, perform<br />
the following steps:<br />
1. Right-click the CTGTesterECIWeb enterprise application folder and select<br />
Properties.<br />
2. From the Properties window, click the Java Build Path node.<br />
3. Click the Libraries tab. This will show the Libraries window (see Figure C-2).<br />
Figure C-2 <strong>WebSphere</strong> Studio Java Build Path window<br />
4. Click Add JARs.<br />
5. In the JAR Selection window, expand Installed Resource Adapters -> <strong>CICS</strong><br />
ECI.<br />
6. Select ctgclient.jar and click OK.<br />
7. From the Properties window, click OK.
<strong>The</strong> CTGTesterECIWeb application should now compile without warnings.<br />
Testing<br />
To test CTGTesterECI using <strong>WebSphere</strong> Studio, right-click the<br />
CTGTesterECIWeb enterprise application folder, and select Run On Server.<br />
If there are no servers defined, this will create a test server configuration called<br />
<strong>WebSphere</strong> Administrative Domain and a test instance called <strong>WebSphere</strong> V4.0<br />
Test Environment.<br />
<strong>The</strong> Publishing window will appear, followed by the Server window. <strong>The</strong> Console<br />
view will show the integrated <strong>WebSphere</strong> server starting. Once the server is<br />
started (shown by the message Server Default Server open for e-business)<br />
the Web browser view will open at the CTGTesterECI welcome page<br />
(Figure C-3).<br />
Figure C-3 <strong>WebSphere</strong> Studio testing CTGTesterECI<br />
In order to flow a request to <strong>CICS</strong>, the server instance must have the <strong>CICS</strong> TG<br />
Java class libraries added. <strong>The</strong> easiest way to do this is to add the <strong>CICS</strong> ECI<br />
resource adapter to the <strong>WebSphere</strong> server instance. To do this, perform the<br />
following steps:<br />
1. From the Server perspective Server Configuration view, expand Server<br />
Configurations.<br />
2. Right-click <strong>WebSphere</strong> Administrative Domain and select Open.<br />
3. In the <strong>WebSphere</strong> Administrative Domain window that appears, click the J2C<br />
tab.<br />
Appendix C. Additional material 393
394 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
4. In the J2C Resource Adapters section, click Add. <strong>The</strong> Create Resource<br />
Adapter window will appear (Figure C-4).<br />
Figure C-4 Create Resource Adapter window<br />
5. In the Resource Adapter Name drop-down, select <strong>CICS</strong> ECI.<br />
6. Click OK. <strong>The</strong> <strong>WebSphere</strong> Administrative Domain window will look like<br />
Figure C-5 on page 395.
Figure C-5 <strong>WebSphere</strong> Studio server configuration window<br />
7. Select File -> Save <strong>WebSphere</strong> Administrative Domain to save the<br />
changes.<br />
<strong>The</strong> test server must be restarted and republished for these changes to take<br />
effect. To do this, perform the following steps:<br />
1. From the Server perspective Servers view, click the Servers tab.<br />
2. Right-click the server instance <strong>WebSphere</strong> V4.0 Test Environment. Click<br />
Stop.<br />
3. Once the server has stopped, right-click the server instance again and select<br />
Publish. <strong>The</strong> Publishing window will appear.<br />
4. Once publishing has completed, from the Publishing window click OK.<br />
5. Right-click the server instance again and select Start. <strong>The</strong> Server window will<br />
appear.<br />
<strong>The</strong> application can now be tested. For details on how to deploy and test<br />
CTGTesterECI with <strong>WebSphere</strong> for Windows, refer to Chapter 11. For details on<br />
how to deploy and test CTGTesterECI with <strong>WebSphere</strong> for z/OS, refer to<br />
Chapter 10.<br />
Appendix C. Additional material 395
Importing CTGTesterCCI into <strong>WebSphere</strong> Studio<br />
To import the CTGTesterCCI EAR file into <strong>WebSphere</strong> Studio Application<br />
Developer Integration Edition, perform the following steps:<br />
1. Select File -> Import. Select EAR file from the Select an import source<br />
window. Click Next.<br />
2. Click the Browse button next to the EAR File field. In the Open window,<br />
navigate to the file CTGTesterCCI.ear, select it and click Open.<br />
3. In the field Enterprise Application project name, enter CTGTesterCCI<br />
(Figure C-6). Click Finish.<br />
396 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure C-6 <strong>WebSphere</strong> Studio Import window<br />
<strong>WebSphere</strong> Studio will import the contents of the EAR into three enterprise<br />
application projects: CTGTesterCCI, CTGTesterCCIEJB, and<br />
CTGTesterCCIWeb. CTGTesterCCI is the enterprise project that references the<br />
associated Web and EJB projects. CTGTesterCCIEJB contains the EJB<br />
deployment descriptor and session bean source code. CTGTesterCCIWeb<br />
contains the Web deployment descriptor, JSPs, and servlet source code. <strong>The</strong><br />
compiled Java code that was present in the EAR file is also imported. This is not<br />
really needed, because the application can be compiled from the source code.<br />
Perform the following steps to remove the compiled Java code:<br />
1. From the J2EE perspective Navigator, expand CTGTesterCCIWeb -><br />
webApplication -> WEB-INF -> lib.<br />
2. Right-click CTGTesterCCIWeb_classes.jar and select Delete from the<br />
pop-up menu.<br />
3. Click Yes on the Delete Resources window.
4. Expand CTGTesterCCIEJB -> ejbModule.<br />
5. Right-click CTGTesterCCIEJB.imported_classes.jar and select Delete from<br />
the pop-up menu.<br />
6. Click Yes on the Delete Resources window.<br />
7. Right-click the CTGTesterCCIEJB enterprise application folder and select<br />
Edit Module Dependencies. <strong>The</strong> Module Dependencies window will appear<br />
with the imported_classes.jar selected as a dependency (Figure C-7).<br />
Figure C-7 Edit module dependencies window<br />
8. Uncheck CTGTesterCCI.imported_classes.jar.<br />
9. Click Finish.<br />
In order to compile the application, the <strong>CICS</strong> ECI resource adapter Java class<br />
libraries have to be added to the EJB project. <strong>The</strong>se can be added from the <strong>CICS</strong><br />
ECI resource adapter in <strong>WebSphere</strong> Studio. <strong>The</strong> J2EE Connector Architecture<br />
library also has to be added to the EJB and Web projects. To add the required<br />
Java classes to the EJB project, perform the following steps:<br />
1. Right-click the CTGTesterCCIEJB enterprise application folder and select<br />
Properties.<br />
2. From the Properties window, click the Java Build Path node.<br />
Appendix C. Additional material 397
398 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
3. Click the Libraries tab. This will show the Libraries window (see Figure C-2<br />
on page 392).<br />
Figure C-8 <strong>WebSphere</strong> Studio Java Build Path window<br />
4. Click Add JARs.<br />
5. In the JAR Selection window, expand Installed Resource Adapters -> <strong>CICS</strong><br />
ECI.<br />
6. Select ctgclient.jar, cicseci.jar and cicsframe.jar and click OK. Multiple<br />
JAR files can be selected by holding down the Ctrl key when selecting.<br />
7. Click Add Variable. <strong>The</strong> Classpath Variable Selection window will appear<br />
(Figure C-9 on page 399).
Figure C-9 <strong>WebSphere</strong> Studio Classpath Variable Selection window<br />
8. Click the Browse button next to the Variable Name field. <strong>The</strong> Variable<br />
Selection window will appear.<br />
9. From the Variable Selection window, select WAS_PLUGINDIR. Click OK.<br />
10.From the Classpath Variable Selection window, click the Browse button next<br />
to the Path Extension field. <strong>The</strong> JAR Selection window will appear.<br />
11.From the JAR Selection window, select the lib directory and click Open.<br />
12.Select jca.jar and click Open.<br />
13.From the Classpath Variable Selection window, click OK.<br />
14.From the Properties window, click OK.<br />
<strong>The</strong> CTGTesterCCIEJB application should now compile without warnings. To add<br />
the required Java classes to the Web project, perform the following steps:<br />
1. Right-click the CTGTesterCCIWeb enterprise application folder and select<br />
Properties.<br />
2. From the Properties window, click the Java Build Path node.<br />
3. Click the Libraries tab. This will show the Libraries window.<br />
4. Click Add Variable. <strong>The</strong> Classpath Variable Selection window will appear.<br />
5. Click the Browse button next to the Variable Name field. <strong>The</strong> Variable<br />
Selection window will appear.<br />
6. From the Variable Selection window, select WAS_PLUGINDIR. Click OK.<br />
7. From the Classpath Variable Selection window, click the Browse button next<br />
to the Path Extension field. <strong>The</strong> JAR Selection window will appear.<br />
8. From the JAR Selection window, select the lib directory and click Open.<br />
9. Select jca.jar and click Open.<br />
Appendix C. Additional material 399
400 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
10.From the Classpath Variable Selection window, click OK.<br />
11.From the Properties window, click OK.<br />
<strong>The</strong> CTGTesterCCIWeb application should now compile without warnings.<br />
Testing<br />
To test CTGTesterCCI using <strong>WebSphere</strong> Studio, right-click the<br />
CTGTesterCCIWeb enterprise application folder and select Run On Server.<br />
If there are no servers defined, this will create a test server configuration called<br />
<strong>WebSphere</strong> Administrative Domain and a test instance called <strong>WebSphere</strong> V4.0<br />
Test Environment.<br />
<strong>The</strong> Publishing window will appear, followed by the Server window. <strong>The</strong> Console<br />
view will show the integrated <strong>WebSphere</strong> server starting. Once the server is<br />
started (shown by the message Server Default Server open for e-business)<br />
the Web browser view will open at the CTGTesterCCI welcome page (see<br />
Figure C-10).<br />
Figure C-10 <strong>WebSphere</strong> Studio testing CTGTesterCCI
In order to flow a request to <strong>CICS</strong>, the server instance must have the <strong>CICS</strong> ECI<br />
resource adapter added and a connection factory defined. To do this, perform the<br />
following steps:<br />
1. From the Server perspective Server Configuration view, expand Server<br />
Configurations.<br />
2. Right-click <strong>WebSphere</strong> Administrative Domain and select Open.<br />
3. In the <strong>WebSphere</strong> Administrative Domain window that appears, click the J2C<br />
tab.<br />
4. In the J2C Resource Adapters section, click Add. <strong>The</strong> Create Resource<br />
Adapter window will appear (Figure C-11).<br />
Figure C-11 Create Resource Adapter window<br />
5. In the Resource Adapter Name drop-down, select <strong>CICS</strong> ECI and click OK.<br />
6. In the J2C Connection Factories section, click Add. <strong>The</strong> Create Connection<br />
Factory window will appear (Figure C-12 on page 402).<br />
Appendix C. Additional material 401
402 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
Figure C-12 Create Connection Factory window<br />
7. In the Name field, enter a descriptive name. We used SCSCPJA1.<br />
8. In the JNDI name field, enter eis/<strong>CICS</strong>A. Note that this is the JNDI name used<br />
by the session bean to look up the connection factory.<br />
9. Click OK.<br />
10.In the J2C Connection Factories section, select SCSCPJA1. <strong>The</strong> Resource<br />
Properties section will show the connection factory properties.<br />
11.In the Resource Properties section, enter values for a <strong>CICS</strong> TG and <strong>CICS</strong><br />
server connection. We used the following values:<br />
ServerName SCSCPJA1<br />
ConnectionURL local:<br />
12.<strong>The</strong> <strong>WebSphere</strong> Administrative Domain window will now look like Figure C-13<br />
on page 403.
Figure C-13 Server configuration window<br />
13.Select File -> Save <strong>WebSphere</strong> Administrative Domain to save the<br />
changes.<br />
<strong>The</strong> test server must be restarted and republished for these changes to take<br />
effect. To do this, perform the following steps:<br />
1. From the Server perspective Servers view, click the Servers tab.<br />
2. Right-click the server instance <strong>WebSphere</strong> V4.0 Test Environment. Select<br />
Stop.<br />
3. Once the server has stopped, right-click the server instance again and select<br />
Publish. <strong>The</strong> Publishing window will appear.<br />
4. Once publishing has completed, from the Publishing window click OK.<br />
5. Right-click the server instance again and select Start. <strong>The</strong> Server window will<br />
appear.<br />
Appendix C. Additional material 403
404 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> application can now be tested using managed connections. For details on<br />
how to deploy and test CTGTesterCCI with <strong>WebSphere</strong> for Windows, refer to<br />
Chapter 11, “<strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for Windows” on<br />
page 289. For details on how to deploy and test CTGTesterCCI with <strong>WebSphere</strong><br />
for z/OS, refer to Chapter 10, “<strong>CICS</strong> TG and <strong>WebSphere</strong> Application Server for<br />
z/OS” on page 237.
Abbreviations and acronyms<br />
AOR application-owning region<br />
API application programming interface<br />
APPC advanced program-to-program<br />
communications<br />
APPN Advanced Peer-to-Peer Networking<br />
ASCII American Standard Code for<br />
Information Interchange<br />
AWT abstract windowing toolkit<br />
BMP bean-managed persistence<br />
CCF Common Connector Framework<br />
CCI Common Client Interface<br />
CMP container managed persistence<br />
CORBA Component Object Request Broker<br />
Architecture<br />
<strong>CICS</strong> TG <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong><br />
CSR certificate signing request<br />
DBMS database management system<br />
DNS Domain Name System<br />
DPL distributed program link<br />
EAB Enterprise Access Builder<br />
EAR Enterprise Application Archive<br />
EBCDIC Extended Binary Coded Decimal<br />
Interchange Code<br />
ECI External Call Interface<br />
EIS Enterprise Information Systems<br />
EJB Enterprise JavaBeans<br />
EJS Enterprise Java Server<br />
EPI External Presentation Interface<br />
ESI External Security Interface<br />
ESM external security manager<br />
EXCI External <strong>CICS</strong> Interface<br />
FOR file-owning region<br />
FTP File Transfer Protocol<br />
GTF Generalized Trace Facility<br />
GUI graphical user interface<br />
HFS Hierarchical File System<br />
HTML Hypertext Transfer Protocol<br />
HTTP Hypertext Markup Language<br />
IRC inter-region communication<br />
IDE Integrated development environment<br />
ISC inter-system communication<br />
J2EE Java 2 Enterprise Edition<br />
JAR Java archive<br />
JDBC Java Database Connectivity<br />
JDK Java Developer’s Kit<br />
JNDI Java Naming and Directory Interface<br />
JNI Java Native Interface<br />
JSDK Java Servlet Development Kit<br />
JSP JavaServer Page<br />
JVM Java Virtual Machine<br />
LDAP Lightweight Directory Access Protocol<br />
LEN Low Entry Node<br />
LPAR logical partition<br />
LUW logical unit of work<br />
MPTN Multi-Protocol Transport Network<br />
OS/390 operating system 390<br />
RRS resource recovery services<br />
PEM password expiration management<br />
SAF System Authorization Facility<br />
SNA Systems Network Architecture<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 405
406 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Related publications<br />
<strong>IBM</strong> <strong>Redbooks</strong><br />
Other resources<br />
<strong>The</strong> publications listed in this section are considered particularly suitable for a<br />
more detailed discussion of the topics covered in this redbook.<br />
For information on ordering these publications, see “How to get <strong>IBM</strong> <strong>Redbooks</strong>”<br />
on page 408.<br />
► Java Connectors for <strong>CICS</strong>, SG24-6401<br />
► Revealed! Architecting Web Access to <strong>CICS</strong>, SG24-5466<br />
► Enterprise JavaBeans for z/OS and OS/390, <strong>CICS</strong> <strong>Transaction</strong> Server V2.2,<br />
SG24-6284<br />
<strong>The</strong>se publications are also relevant as further information sources:<br />
► <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> library<br />
http://www-3.ibm.com/software/ts/cics/library/manuals/index40.html<br />
► <strong>WebSphere</strong> Application Server InfoCenter<br />
http://www.ibm.com/software/webservers/appserv/infocenter.html<br />
► <strong>CICS</strong> TS V2.2 online library<br />
http://www-3.ibm.com/software/ts/cics/library/cicstsforzos22.html<br />
► <strong>WebSphere</strong> Application Server for OS/390 and z/OS library<br />
http://www-3.ibm.com/software/webservers/appserv/zos_os390/<br />
library.html<br />
► <strong>WebSphere</strong> Application Server library<br />
http://www.ibm.com/software/webservers/appserv/library.html<br />
http://www.ibm.com/support/techdocs.<br />
► <strong>IBM</strong> Technical Support Technical Information Site<br />
http://www.ibm.com/support/techdocs.<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 407
Referenced Web sites<br />
<strong>The</strong>se Web sites are also referenced as further information sources:<br />
► https://www6.software.ibm.com/dl/websphere20/zosos390-p<br />
<strong>WebSphere</strong> Application Server for z/OS downloads<br />
► http://www.verisign.com<br />
VeriSign, the Certificate Authority<br />
► https://www6.software.ibm.com/dl/websphere20/zosos390-p<br />
<strong>WebSphere</strong> for z/OS and OS/390 tools<br />
► http://www-3.ibm.com/software/webservers/appserv/zos_os390<br />
<strong>WebSphere</strong> application server home page<br />
► http://www7b.boulder.ibm.com/wsdd/library/techarticles/0109_kelle/<br />
0109_kelle.html<br />
Whitepaper: Using J2EE Resource Adapters in a Non-managed Environment<br />
► http://java.sun.com/j2ee/download.html#connectorspec<br />
J2EE connector architecture specification<br />
► http://www.ibm.com/software/ts/cics/downloads<br />
<strong>CICS</strong> downloads page<br />
► http://www6.software.ibm.com/dl/connarch/connarch-p<br />
Connector Architecture for <strong>WebSphere</strong> Application Server<br />
► http://www.ibm.com/software/ad/studiointegration<br />
<strong>WebSphere</strong> Studio Application Developer Integration Edition<br />
► http://www-4.ibm.com/software/ts/cics/announce<br />
<strong>CICS</strong> announcements<br />
► http://www.ibm.com/support/techdocs<br />
<strong>IBM</strong> techdocs site<br />
► http://www.dataset.fr/eng/scanport.html<br />
ScanPort download site<br />
How to get <strong>IBM</strong> <strong>Redbooks</strong><br />
You can order hardcopy <strong>Redbooks</strong>, as well as view, download, or search for<br />
<strong>Redbooks</strong> at the following Web site:<br />
ibm.com/redbooks<br />
You can also download additional materials (code samples or diskette/CD-ROM<br />
images) from that site.<br />
408 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
<strong>IBM</strong> <strong>Redbooks</strong> collections<br />
<strong>Redbooks</strong> are also available on CD-ROMs. Click the CD-ROMs button on the<br />
<strong>Redbooks</strong> Web site for information about all the CD-ROMs offered, as well as<br />
updates and formats.<br />
Related publications 409
410 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
Index<br />
Symbols<br />
%%CLIENT%% 274, 280, 345<br />
.profile 148–149, 151, 166<br />
/etc/profile 130, 148, 151, 167<br />
A<br />
address space sharing, ctgstart 144<br />
addTerminal() method 335<br />
AID, EPI support class 12<br />
AIEXIT=DFHZATDY 23, 25, 43, 49–50, 119<br />
AIX 4<br />
Allocate_Pipe, EXCI call 73<br />
AnyNet 40, 44<br />
APARs<br />
OW21511 79<br />
PQ38644 331–332<br />
PQ43296 135<br />
PQ55181 280<br />
PQ55873 239<br />
APPL, VTAM 20<br />
Application Assembly Tool (AAT) for z/OS 258,<br />
260–261, 263, 265, 282<br />
APPLID, <strong>CICS</strong> 20<br />
ATTACHSEC, LU 6.2 connections 22, 69<br />
AUTH_USERID_PASSWORD 106, 127, 130, 151,<br />
166<br />
B<br />
Base64 193, 345, 363<br />
basic authentication 266, 274, 345, 362<br />
basic terminal, EPI 117<br />
bboninst.exe 248<br />
BBONPARM, variable 248<br />
bind security 101, 104<br />
C<br />
CBPS, <strong>CICS</strong> connection template 24, 53<br />
ccf2.jar, 142<br />
CCL0002I, <strong>CICS</strong> TG message 33, 36, 53, 61, 89,<br />
310<br />
CCL1100I, <strong>CICS</strong> TG message 61<br />
CCL1101I, <strong>CICS</strong> TG message 36, 61<br />
CCL1102I, <strong>CICS</strong> TG message 36, 61<br />
CCL1103I, <strong>CICS</strong> TG message 36, 61<br />
CCL1104I, <strong>CICS</strong> TG message 36, 61<br />
CCL1105I, <strong>CICS</strong> TG message 36, 61<br />
CCL1106I, <strong>CICS</strong> TG message 36, 61<br />
CCL1107I, <strong>CICS</strong> TG message 36, 61<br />
CCL1108I, <strong>CICS</strong> TG message 61<br />
CCL1109I, <strong>CICS</strong> TG message 36, 61<br />
CCL1111I, <strong>CICS</strong> TG message 36, 61<br />
CCL1112I, <strong>CICS</strong> TG message 36, 61<br />
CCL1113I, <strong>CICS</strong> TG message 36, 61<br />
CCL1120I, <strong>CICS</strong> TG message 36, 61<br />
CCL3102, <strong>CICS</strong> TG message 96<br />
CCL3229E, <strong>CICS</strong> TG message 224<br />
CCL3247, <strong>CICS</strong> TG message 224<br />
CCL5815, <strong>CICS</strong> TG message 63<br />
CCL5894, <strong>CICS</strong> TG message 62–63<br />
CCL5898, <strong>CICS</strong> TG message 63, 234<br />
CCL5899, <strong>CICS</strong> TG message 62<br />
CCL6502I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL6505I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL6512I, <strong>CICS</strong> TG message 176<br />
CCL6513I, <strong>CICS</strong> TG message 175<br />
CCL6514I, <strong>CICS</strong> TG message 176<br />
CCL6523I, <strong>CICS</strong> TG message 176<br />
CCL6524I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL6525E, <strong>CICS</strong> TG message 208–209<br />
CCL6574I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL6577I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL6602I, <strong>CICS</strong> TG message 175<br />
CCL6603I, <strong>CICS</strong> TG message 176<br />
CCL6651E, <strong>CICS</strong> TG message 209<br />
CCL6668E, <strong>CICS</strong> TG message 162, 210<br />
CCL6670E, <strong>CICS</strong> TG message 162<br />
CCL6693I, <strong>CICS</strong> TG message 176<br />
CCL6695I, <strong>CICS</strong> TG message 176<br />
CCL6720I, <strong>CICS</strong> TG message 176<br />
CCL6721I, <strong>CICS</strong> TG message 176<br />
CCL6727I, <strong>CICS</strong> TG message 176<br />
CCL6800I, <strong>CICS</strong> TG message 178, 286<br />
CCL6801I, <strong>CICS</strong> TG message 178, 286<br />
CCL6802I, <strong>CICS</strong> TG message 178, 286<br />
CCL6804I, <strong>CICS</strong> TG message 286<br />
CCL6805I, <strong>CICS</strong> TG message 178, 286<br />
© Copyright <strong>IBM</strong> Corp. 2001 2002. All rights reserved. 411
CCL6806I, <strong>CICS</strong> TG message 178<br />
CCL6810I, <strong>CICS</strong> TG message 286<br />
CCL6813I, <strong>CICS</strong> TG message 285<br />
CCL6818E, <strong>CICS</strong> TG message 178, 320<br />
CCL6822E, <strong>CICS</strong> TG message 179<br />
CCL6880I, <strong>CICS</strong> TG message 286<br />
CCL8001I, <strong>CICS</strong> TG message 33, 36, 53, 61, 89,<br />
310<br />
CCL8041I, <strong>CICS</strong> TG message 33, 53, 89, 310<br />
CCL8042I, <strong>CICS</strong> TG message 33, 53, 89, 310<br />
CCL8400I, <strong>CICS</strong> TG message 159, 204, 226<br />
CCL8401I, <strong>CICS</strong> TG message 204<br />
CCL8402I, <strong>CICS</strong> TG message 204<br />
CCL8403I, <strong>CICS</strong> TG message 208<br />
CCL8405I, <strong>CICS</strong> TG message 204<br />
cclclnt, process 5<br />
cclserv.exe 5<br />
CEDF, debug transaction 75<br />
CEDX, debug trasaction 75<br />
CEMT transaction 31, 54<br />
CEOT transaction 33<br />
CESN, signon transaction 121<br />
CETR, trace transaction 180–181<br />
CGCSGID value, in TYPETERM definition 335<br />
<strong>CICS</strong> statistics, ECI over TCP/IP 94<br />
<strong>CICS</strong> TS for OS/390 4<br />
<strong>CICS</strong> TS for VSE/ESA 4<br />
<strong>CICS</strong> TS for z/OS 4<br />
<strong>CICS</strong>/ESA V4.1 4<br />
<strong>CICS</strong>/VSE 2.3 4<br />
cics_eci.h, ECI return codes 128, 164<br />
<strong>CICS</strong>CLI variable 153<br />
cicscli, command 5, 33<br />
<strong>CICS</strong>CLI.BIN, client binary trace file 36, 61<br />
<strong>CICS</strong>CLI.INI 9<br />
<strong>CICS</strong>CLI.LOG 36, 55, 61<br />
<strong>CICS</strong>CLI.TRC, client trace file 36, 61<br />
CicsCpRequest class 330<br />
cicseci.rar 296<br />
cicseciRRS.rar 252<br />
<strong>CICS</strong>TERM command 33, 53<br />
CIEO, <strong>CICS</strong> TD queue 84<br />
Client daemon 5<br />
CMAC, messages and codes transaction 64<br />
CNOS, change number of sessions 22–23<br />
com.ibm.connector2.cics.outputerr 323<br />
com.ibm.ws.classloader 284<br />
com.ibm.ws390.logwriter 284<br />
Configuration Tool 9, 29, 46, 153, 220, 222<br />
412 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
CONNECTION definitions, <strong>CICS</strong><br />
APPC 21<br />
autoinstall 23<br />
EXCI 68<br />
connection factory 243, 257, 272–273, 279–280,<br />
283, 297–299, 306–307, 313, 316–317, 320, 322,<br />
401<br />
connection manager threads 153, 155<br />
connectionlogging, <strong>Gateway</strong> daemon parameter<br />
160<br />
connector.jar 142<br />
contention winner sessions 28<br />
conversation security, SNA 29<br />
CPMI, mirror transaction 114, 331<br />
cross-memory services (XM) 69<br />
cross-system coupling facility (XCF) 69<br />
CRSR transaction 29<br />
Cryptographic Coprocessor Feature 188<br />
CSMI, mirror transaction 109, 257<br />
CTG.INI, configuration file 9, 23, 29, 46, 48, 51, 87,<br />
153, 155, 170<br />
CTG_CLASSES 162<br />
CTG_CLASSPATH 162<br />
CTG_JNI_TRACE, variable 177<br />
CTG_RRMNAME, variable 74, 152, 165, 171, 247<br />
ctgadmin.jar 142, 174, 176, 232<br />
ctgcfg, See Configuration Tool<br />
ctgclient.jar 205, 227–228, 302, 392<br />
ctgenvvar file 74, 148, 150–151, 170, 177<br />
ctgenvvarsamp file 142<br />
ctgikey 189<br />
CTGJNI.dll 8, 126, 142, 176, 252, 285<br />
CTGSAMP.INI, sample CTG.INI 142<br />
ctgsamples.jar 102, 142, 203<br />
ctgserver.jar 142, 220, 302<br />
ctgstart 142–143, 148–149, 154<br />
CTGSTART_HOME, variable 170<br />
CTGTesterCCI 396<br />
application description 355<br />
application flow 356<br />
application overview 291<br />
deploying to <strong>WebSphere</strong> for Windows 304<br />
deploying to <strong>WebSphere</strong> for z/OS 261<br />
importing into <strong>WebSphere</strong> Studio 396<br />
testing in <strong>WebSphere</strong> Studio 400<br />
CTGTesterECI<br />
application description 338<br />
application flow 338<br />
application overview 290
deploying to <strong>WebSphere</strong> for Windows 299<br />
deploying to <strong>WebSphere</strong> for z/OS 265<br />
importing into <strong>WebSphere</strong> Studio 391<br />
testing in <strong>WebSphere</strong> Studio 393<br />
current.env 245, 254, 286<br />
D<br />
data conversion 239–240, 293, 329, 331<br />
DB2, installing 293<br />
DB2, Universal Database Enterprise Edition 292<br />
default user ID, <strong>CICS</strong> 70, 100<br />
definitions checklist 67<br />
APPC 19<br />
<strong>CICS</strong> TG for Linux 215<br />
<strong>CICS</strong> TG for z/OS 135<br />
SSL 187<br />
TCP/IP 84<br />
TCP62 42<br />
<strong>WebSphere</strong> for Windows 293<br />
<strong>WebSphere</strong> for z/OS 239<br />
deployment descriptor, Web 280<br />
DFH$AXCS 75<br />
DFH$STAT, <strong>CICS</strong> statistics group 94<br />
DFH0CXCC, EXCI batch program 75<br />
DFHAC2047 127<br />
DFHAPPL, RACF FACILITY class profile 105<br />
DFHAUPLE 72<br />
DFHCCNV, data conversion program 329, 331<br />
DFHCLNT, <strong>CICS</strong> Universal Client group 21, 43<br />
DFHCNV 67, 84, 136, 215, 239, 293<br />
DFHDCTG, CSD group 84<br />
DFHEDFP, execution diagnostic facility 75<br />
DFHIE1203, <strong>CICS</strong> message 96<br />
DFHIEP, ECI over TCP/IP listener 84<br />
DFHIPECI, CSD group 84<br />
DFHIR000, XCF group 79<br />
DFHIRP, <strong>CICS</strong> IRC program 69<br />
DFHIRSDS 179<br />
DFHISC, ISC group 21, 43<br />
DFHJVPIPE, variable 68–69, 74, 77, 150, 165<br />
DFHJVSYSTEM, variable 106, 150<br />
DFHLIST 84<br />
DFHMIRR, mirror program 331–332<br />
DFHMIRS, <strong>CICS</strong> mirror program 330, 332<br />
DFHPD620, <strong>CICS</strong> message 172<br />
DFHRPL 239<br />
DFHSN1400, <strong>CICS</strong> message 126, 277, 279<br />
DFHSN1500, <strong>CICS</strong> message 277<br />
DFHXCOPT, EXCI options table 72, 151, 180<br />
DFHXCPRX 166<br />
DFHXCSTB 251<br />
DFHXCSVC 104, 144<br />
DFHXCURM, EXCI user-replaceable module 73,<br />
156<br />
DFHZATDX 62<br />
DFHZATDY 23, 25, 43, 49–50, 119<br />
DFHZC2411, <strong>CICS</strong> message 64<br />
DFHZC3461, <strong>CICS</strong> message 34, 54<br />
DFHZC4900, <strong>CICS</strong> message 34, 54<br />
DFHZC4901, <strong>CICS</strong> message 34<br />
DFHZC5966, <strong>CICS</strong> message 34, 54<br />
DFHZC6907, <strong>CICS</strong> message 64<br />
DFHZC6921, <strong>CICS</strong> message 64<br />
DFHZC6935, <strong>CICS</strong> message 54<br />
DFLTUSER, SIT parameter 100<br />
DNS server 51<br />
DNSUFX, VTAM domain name suffix 45<br />
dumping, <strong>CICS</strong> TG for z/OS 171<br />
dumpnamespace 320<br />
dynamic LU names, TCP62 41, 45, 48<br />
dynamic trace facility 7, 174–177, 232<br />
E<br />
EC01, COBOL sample 136, 161, 203<br />
EC02, COBOL sample 136, 162<br />
ECI over TCP/IP 82<br />
ECI resource adapter 252<br />
ECI resource adapter, installing 295<br />
ECI_ERR_INVALID_DATA_LENGTH 128<br />
ECI_ERR_NO_<strong>CICS</strong> 129, 165, 179<br />
ECI_ERR_RESOURCE_SHORTAGE 165<br />
ECI_ERR_SECURITY_ERROR 130, 165<br />
ECI_ERR_SYSTEM_ERROR 129, 156, 165, 171,<br />
173, 175, 320<br />
ECI_ERR_TRANSACTION_ABEND 179<br />
ecib1.vbs, VBScript test application 88<br />
ECIPROG2 239, 269–270, 272–273, 276, 279, 390<br />
ECIRequest class 242<br />
listSystems() method 150<br />
Enterprise Information Systems (EIS) 11, 13<br />
EPI beans 12<br />
EPI support classes 12<br />
EPIP transaction 120<br />
EPIPROG 116, 390<br />
EPIRequest, <strong>CICS</strong> TG base class 12<br />
equivalent systems 100, 108, 120, 277<br />
Index 413
errno, return codes 128<br />
ESIRequest, <strong>CICS</strong> TG base class 13<br />
EXCI<br />
connection definition 68<br />
loging of return codes 176<br />
pipes 69, 71, 153, 165, 251<br />
pipes, maximum usage 156<br />
retryable errors 73<br />
subreasons 179<br />
tracing 80<br />
Version 2 331<br />
See also APAR PQ38644<br />
EXCI_LOADLIB 74, 151<br />
EXCI_OPTIONS 74, 151<br />
EXEC <strong>CICS</strong> SIGNON 123<br />
expedited flows 56<br />
extattr command 145<br />
extattr, USS command<br />
See also program control<br />
extended terminals, EPI 117<br />
external security manager, <strong>CICS</strong> use of 100<br />
F<br />
FACILITY class, RACF 144, 165<br />
FieldData, EPI support class 12<br />
firewalls 56<br />
Flowed user ID 100<br />
flowing user ID, in ECIRequest 345<br />
FTP service, Linux 215<br />
G<br />
gateway.properties 9<br />
gateway.T.setJNITFile 285, 324<br />
generalized trace facility (GTF) 80, 173<br />
tracing EXCI 179<br />
getBytes() method 332<br />
GetSense utility 35, 60, 63<br />
gskkyman 188<br />
H<br />
HFS, data set creation 138<br />
HLQ 151<br />
HOMETEST, TSO command 44, 85, 166<br />
hosts file, TCP/IP 51<br />
HP-UX 4<br />
HTTP Server for z/OS 240<br />
definitions 247<br />
414 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
HTTP Transport Handler, <strong>WebSphere</strong> for z/OS 240<br />
I<br />
<strong>IBM</strong> eNetwork Communications Server 17<br />
<strong>IBM</strong> eNetwork Personal Communications 17<br />
IE domain, <strong>CICS</strong> 97<br />
iKeyman 189, 196–197<br />
initconnect, <strong>Gateway</strong> daemon paramater 153<br />
initworker, <strong>Gateway</strong> daemon paramater 153<br />
Integrated Cryptographic Service Facility (ICSF)<br />
188<br />
intercommunication security 101<br />
inter-region communication (IRC) 69<br />
ipconfig 49<br />
IPCS, formatting traces 172, 182<br />
IRCSTRT, SIT parameter 103, 250<br />
ISC, SIT parameter 84, 250<br />
J<br />
Java client 285<br />
Java Record Framework 329<br />
JAVA_PROPAGATE, variable 106<br />
JSSE 185, 189<br />
jvm.properties, <strong>WebSphere</strong> for z/OS 245, 285<br />
JVM_DEBUG variable, <strong>WebSphere</strong> for z/OS 286<br />
JVM_LOGFILE variable, <strong>WebSphere</strong> for z/OS 286<br />
K<br />
key database, creating on z/OS 191<br />
Keyring, creating a client 196<br />
Keystore, creating on z/OS 194<br />
Keytool 189, 210<br />
L<br />
LAN connection, SNA 28<br />
LAN device, SNA 28<br />
LDAP browser 282<br />
LDAP server 282<br />
ldapadd 282<br />
ldapdelete 282<br />
ldapmoddrn 282<br />
ldapmodify 282<br />
ldapsearch 282<br />
LEN, low entry node 48<br />
libCTGJNI.so See CTGJNI.dll<br />
link security 71, 101, 107, 119<br />
link station, SNA 31
link user ID 100, 277<br />
Linux, <strong>CICS</strong> TG support 213<br />
Linux, for S/390 4<br />
listSystems() method 8, 150<br />
local protocol 309<br />
logging, of connections 159<br />
logging, of EXCI return codes 176<br />
login-config 280<br />
LOGMODE, VTAM 44<br />
logs<br />
<strong>CICS</strong> TG for z/OS 146, 154, 204<br />
Client daemon 36, 55<br />
<strong>WebSphere</strong> for Windows 319<br />
<strong>WebSphere</strong> for z/OS 281<br />
LU 6.2 18, 20–21, 25–27<br />
M<br />
MAC address, SNA 20, 28<br />
Map, EPI support class 12<br />
MapData, EPI support class 12<br />
maxconnect, <strong>Gateway</strong> daemon paramater 153<br />
MAXFILEPROC 94<br />
MAXSOCKETS, SIT parameter 94<br />
maxworker, <strong>Gateway</strong> daemon paramater 153, 157<br />
mirror transaction, CSMI 109<br />
mode group, SNA 20, 30, 47<br />
MRO bind security 104<br />
Multiprotocol Transport Networking (MPTN) 40, 48<br />
N<br />
NETID, VTAM 26<br />
NETNAME, CONNECTION definition 68–69, 74,<br />
77, 150, 165<br />
netstat, TCP/IP test tool 55, 166<br />
noinput, <strong>Gateway</strong> daemon paramater 154<br />
nonames, <strong>Gateway</strong> daemon paramater 154<br />
notime, <strong>Gateway</strong> daemon paramater 154<br />
nslookup, TCP/IP test tool 166<br />
NSTRC.TLG 37<br />
NSTRC.TRC 37<br />
O<br />
onetstat command 205<br />
on-line library, <strong>CICS</strong> TG 407<br />
on-line library, <strong>CICS</strong> TS V2.2 407<br />
Operations application, <strong>WebSphere</strong> for z/OS 244<br />
P<br />
password checking, <strong>CICS</strong> TG 106<br />
Password Expiration Management (PEM) 7, 13<br />
Personal Communications 17, 31<br />
ping command 166, 205<br />
pipes, EXCI 156, 165<br />
prefixing, <strong>CICS</strong> security 104<br />
PROFILE.TCPIP data set 44, 85<br />
program control 104, 130, 143–145<br />
Protection directive, HTTP Server 280<br />
protocol handlers, <strong>CICS</strong> TG 7<br />
R<br />
RACF 8, 13<br />
BPX.SERVER FACILITY class 144<br />
FACITLY class 105<br />
security profiles for <strong>CICS</strong> TG for z/OS 144<br />
SPECIAL authority 143<br />
SURROGAT class profiles 109, 251<br />
T<strong>CICS</strong>TRN class 109, 114<br />
RAR files 252, 295<br />
RECEIVECOUNT, <strong>CICS</strong> SESSIONS definition 71,<br />
153, 156, 165<br />
Red Hat Package Manager 216<br />
<strong>Redbooks</strong> Web site 408<br />
region user ID, <strong>CICS</strong> 100<br />
Res-Auth, EJB deployment descriptor 281<br />
RESOLVE_IPNAME 247<br />
resource adapter, ECI 243, 295<br />
resource recovery services (RRS) 73, 152, 247,<br />
250<br />
resource reference 306<br />
resource security, <strong>CICS</strong> 100<br />
rpm, comand 217<br />
RRMS, SIT parameter 73, 250<br />
RU size 28<br />
RunAs, EJB deploymnet descriptor 280<br />
S<br />
Screen, EPI support class 12<br />
SDFHEXCI 130, 143, 149, 151, 166, 251<br />
SDFHMAC 179<br />
SDHFLINK, program control 104<br />
SEC, SIT parameter 103<br />
SECPRFX, SIT parameter 103–104<br />
security prefixing 104<br />
security, surrogate 109<br />
security, with <strong>CICS</strong> TG for z/OS 144<br />
Index 415
security, with ECI requests 115<br />
security-constraint 280<br />
SECURITYNAME, CONNECTION definition 119<br />
segment, OMVS 109<br />
self-signed certificate<br />
creating 194<br />
exporting 199<br />
listing 195<br />
sense codes, SNA 35, 60–61, 63<br />
serious events, <strong>WebSphere</strong> for Windows 318<br />
Service directive, HTTP Server 266<br />
services, Windows 5<br />
SESSIONS definition 70, 156<br />
Set OS Thread Identity to RunAS Identity, See<br />
ThreadID<br />
setLogWriter() method 322–323<br />
setTraceLevel() method 283, 322<br />
SHAREPORT parameter, TCP/IP 170<br />
Signer Certificate, adding to a keystore 199<br />
signon capable terminal, EPI 116<br />
signon incapable terminal, EPI 116, 123<br />
signon/signoff message suppression 126<br />
SignonCapable.java 102, 115, 121, 390<br />
SignonIncapable.java 102, 116, 123, 390<br />
SIT parameters 23, 25, 43, 49–50, 119<br />
AIEXIT 23<br />
APPLID 43<br />
DFLTUSER 70, 100<br />
IRCSTRT 67, 103, 250<br />
ISC 21, 43, 67, 84, 250<br />
MAXSOCKETS 94<br />
RRMS 73, 250<br />
SEC 103<br />
SECPRFX 103–104<br />
TCPIP 84<br />
XCMD 103<br />
XDCT 103<br />
XFCT 103<br />
XPCT 103<br />
XPPT 103<br />
XTRAN 103<br />
SNA<br />
contention winner sessions 28<br />
control point 20, 28<br />
link station 31<br />
mode group 20, 28<br />
RU size 28<br />
TP name 29<br />
XID 20, 28<br />
416 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong><br />
SNA Node Operations, Personal Communications<br />
31–32<br />
Softerra, LDAP browser 282<br />
software checklist<br />
<strong>CICS</strong> TG for Linux 214<br />
<strong>CICS</strong> TG for z/OS 135<br />
EXCI 67<br />
SSL 187<br />
TCP/IP 83<br />
TCP62 19, 42<br />
<strong>WebSphere</strong> for Windows 292<br />
<strong>WebSphere</strong> for z/OS 239<br />
specific pipes, EXCI 68, 74, 251<br />
SSL, z/OS 185<br />
SSLight 188<br />
STAT, statistics transaction 94<br />
static LU names, TCP62 41<br />
STDENV member 106, 147–148, 151, 165,<br />
169–170, 177<br />
STEPLIB 166<br />
subnet masks, TCP/IP 49–50<br />
subreasons, EXCI 179<br />
Sun Solaris 4<br />
surrogate security 251<br />
surrogate user ID for unauthenticated requests 280<br />
synchronization level, SNA 29<br />
SYS1.PARMLIB 94, 167, 181<br />
System Authorization Facility (SAF) 100<br />
System Management End-User Interface 244,<br />
247–248<br />
SystemSSL, description 188<br />
T<br />
T<strong>CICS</strong>TRN, RACF profiles 109<br />
TCP/IP major node 44<br />
TCP62 protocol 40<br />
tcp62locallu.exe 51<br />
TCPAdmin protocol handler 174, 232<br />
TCPIP.DATA, TCP/IP profile data set 44, 85<br />
TCPIP=YES, SIT parameter 84<br />
TCPIPSERVICE definition 85, 113<br />
Terminal, EPI support class 12<br />
test certificates 192, 194<br />
tfile, <strong>Gateway</strong> daemon paramater 154<br />
thread limits, <strong>Gateway</strong> daemon 153, 155<br />
ThreadID, EJB deployment descriptor 280–281<br />
TP name, SNA 29<br />
TRACEALL variable, <strong>WebSphere</strong> for z/OS 287
TRACEBUFFLOC variable, <strong>WebSphere</strong> for z/OS<br />
287<br />
tracert command 92<br />
tracing<br />
<strong>CICS</strong> ECI over TCP/IP 97<br />
<strong>CICS</strong> IE domain 97<br />
<strong>CICS</strong> TG for z/OS 154<br />
Client daemon 36, 61<br />
ECI resource adapter 322<br />
EXCI 171<br />
GTF 179<br />
HTTP Server, z/OS 287<br />
J2EE resource adapter 283<br />
J2EE Server 286<br />
Java client, <strong>CICS</strong> TG 285, 321<br />
JNI trace, <strong>CICS</strong> TG 176, 285, 324<br />
Personal Communications 37<br />
TCP/IP packet trace 97<br />
transaction security, <strong>CICS</strong> 100<br />
transactional EXCI 73, 152<br />
two phase commit 73, 252, 259<br />
TYPETERM definition 335<br />
U<br />
UDP 56<br />
Unicode 332<br />
unique LU names, TCP62 50<br />
USEDFLTUSER 122<br />
User security 101<br />
V<br />
variables 148<br />
AUTH_USERID_PASSWORD 106, 127, 130,<br />
166<br />
<strong>CICS</strong>CLI 151<br />
CTG_JNI_TRACE 177–178<br />
CTG_RRMNAME 171, 178<br />
CTGSTART_HOME 170<br />
DFHJVPIPE 68, 74, 77, 149–150, 165<br />
DFHJVSYSTEM 150<br />
VBScript, test application 88<br />
VisualAge for Java 12<br />
VTAM<br />
APPL definition 20, 44<br />
application program major node 26<br />
DYNLU=YES 27<br />
LOGMODE 20, 27<br />
NETID 20, 26<br />
PU 20<br />
SNASVCMG mode 27<br />
SSCP 20<br />
switched major node 27<br />
TCP/IP major node 44<br />
VTAM, commands 57<br />
W<br />
was.conf 267, 274<br />
WebAuth.UnauthenticatedUserSurrogate 280<br />
webcontainer.conf, J2EE Server file 245, 280<br />
<strong>WebSphere</strong> Application Server<br />
Advanced Edition for Windows 293<br />
V4.0 for z/OS 237<br />
<strong>WebSphere</strong> Plugin, z/OS 240<br />
<strong>WebSphere</strong> Studio<br />
Application Developer Integration Edition 391<br />
using additional material with 391<br />
Windows NT and 2000 4<br />
worker threads 153–157<br />
workertimeout, <strong>Gateway</strong> daemon paramater 147,<br />
154–155<br />
X<br />
XCMD, SIT parameter 103<br />
XDCT, SIT parameter 103<br />
XFCT, SIT parameter 103<br />
XID, SNA 20<br />
XMEOUT, user exit 126<br />
XPCT, SIT parameter 103<br />
XPPT, SIT parameter 103<br />
XTRAN, SIT parameter 103<br />
Z<br />
z/OS, <strong>CICS</strong> TG support 133<br />
z/OS, <strong>WebSphere</strong> support 237<br />
Index 417
418 <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>
(0.5” spine)<br />
0.475”0.875”<br />
250 459 pages<br />
<strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> <strong>V5</strong>: <strong>The</strong> <strong>WebSphere</strong> Connector for <strong>CICS</strong>
<strong>CICS</strong> <strong>Transaction</strong><br />
<strong>Gateway</strong> <strong>V5</strong><br />
<strong>The</strong> <strong>WebSphere</strong> Connector for <strong>CICS</strong><br />
Install and configure<br />
the <strong>CICS</strong> TG on z/OS,<br />
Linux, and Windows<br />
Configure TCP/IP,<br />
TCP62, APPC or EXCI<br />
connections to <strong>CICS</strong><br />
TS V2.2<br />
Deploy J2EE<br />
applications to<br />
<strong>WebSphere</strong><br />
Application Server<br />
V4 on z/OS or<br />
Windows<br />
SG24-6133-01 ISBN 0738426687<br />
Back cover<br />
<strong>The</strong> <strong>CICS</strong> <strong>Transaction</strong> <strong>Gateway</strong> (<strong>CICS</strong> TG) is widely used to<br />
provide access to <strong>CICS</strong> COMMAREA-based programs and<br />
3270 transactions from Java environments. This <strong>IBM</strong><br />
Redbook shows you how to build a robust <strong>CICS</strong> TG<br />
configuration for a variety of different configurations.<br />
First we introduce the facilities of the <strong>CICS</strong> TG, followed by<br />
step-by-step explanations of how to use the different<br />
protocols (TCP/IP, TCP62, APPC and EXCI) used for<br />
communication with a <strong>CICS</strong> TS V2.2 region on z/OS, and how<br />
to secure your <strong>CICS</strong> region when receiving External Call<br />
Interface (ECI) or External Presentation Interface (EPI)<br />
requests.<br />
Next, we provide details on how to configure the <strong>CICS</strong> TG <strong>V5</strong><br />
on either z/OS or Linux to connect a Java client application to<br />
a <strong>CICS</strong> region. <strong>The</strong> use of the Secure Sockets Layer (SSL)<br />
protocol to encrypt the communication from the Java<br />
application to the <strong>CICS</strong> TG is included in these scenarios.<br />
Finally, we offer two scenarios to illustrate how to configure<br />
<strong>WebSphere</strong> Application Server V4 on the Windows or z/OS<br />
platforms, to use the supplied ECI resource adapter to allow<br />
J2EE applications to make ECI calls to <strong>CICS</strong>.<br />
INTERNATIONAL<br />
TECHNICAL<br />
SUPPORT<br />
ORGANIZATION<br />
®<br />
BUILDING TECHNICAL<br />
INFORMATION BASED ON<br />
PRACTICAL EXPERIENCE<br />
<strong>IBM</strong> <strong>Redbooks</strong> are developed by<br />
the <strong>IBM</strong> International Technical<br />
Support Organization. Experts<br />
from <strong>IBM</strong>, Customers and<br />
Partners from around the world<br />
create timely technical<br />
information based on realistic<br />
scenarios. Specific<br />
recommendations are provided<br />
to help you implement IT<br />
solutions more effectively in<br />
your environment.<br />
For more information:<br />
ibm.com/redbooks