Using a Secure DDM TCP/IP Connection with Robot HA

 

For Robot HA 13.08 and Above

After initial setup (INZRSFHA or Robot GUIDE Automated Setup), if you need to change the authentication method you can use the RHACHGDDM command.

1. On your production system, enter the command RBTHALIB/RHACHGDDM and press F4 to prompt.
2. For the 'Server ID' parameter, enter the Server ID of the system on which to change the DDM configuration.
3. For the 'Already Configured PowerHA' parameter, enter *YES or *NO depending on your PowerHA configuration.
   • Enter *YES if you have already configured PowerHA.
   • Enter *NO if you have PowerHA installed but are not yet configured or you do not have PowerHA installed.
4. Press Enter.
5. Enter your chosen value for the ‘Select new DDM authentication method’ parameter.
6. Press Enter.

Note: Running the RHACHGDDM command updates the value on the ‘lowest authentication method’ parameter for the CHGDDMTCPA command.

For Robot HA 13.07 and Below
Setting your authentication method is defined within the CHGDDMTCPA command settings. When defining security for DDM TCP/IP, *ENCUSRPWD is the most secure method. Before setting your method to *ENCUSRPWD, ensure that it will not adversely affect your other applications. The lowest authentication method we recommend is *USRIDPWD.
To use secure authentication with Robot HA, follow the steps below.

1. Complete this step if you are at OS 7.4 or below. If you are at 7.5 or above, skip to step 2.
   Set the system value to retain server security data. On both production and backup, run the following command:
   DSPSYSVAL QRETSVRSEC
   
   The value should be set to 1. If it is not, change it to 1 by running the following command:
   CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1') 

2. Add Server Authorization entries.
   A Server Authority entry is essentially a cross-reference between a local and remote user profile. It is used whenever a job needs to start a DDM connection to a remote system that is configured to use an authentication method that requires a password.  It specifies that a job running under user A on the local system should connect to the remote system as user B, with password C.  The password is stored by the system in encrypted form.
   The setup must be performed on both systems because Robot HA initiates remote DDM connections both ways between Production and Backup.
   In our examples below we use ROBOTHA as the service profile to use for the DDM connection.  As of 13.07, Robot HA provides the user profile ROBOTHA to be used on your production system for running jobs. This profile should be used as the profile for the DDM connection.
   
   On the production system
   On the production system, Robot HA uses profile QSECOFR in the background to make connections. 
   The following server Authority entry needs to be created:
   ADDSVRAUTE USRPRF(QSECOFR) SERVER(backupname) USRID(ROBOTHA) PASSWORD(yourpassword)
   
   On the backup system
   On the backup system, Robot HA uses profile RSFSRV.  Therefore, the following server authority entry needs to be created:
   ADDSVRAUTE USRPRF(RSFSRV) SERVER(productionname) USRID(ROBOTHA) PASSWORD(yourpassword)
   
   On both systems:
   After the Server authority entries have been created you can now specify to require a password. Run this command on both systems:
   CHGDDMTCPA AUTOSTART(*YES) PWDRQD(yourvalue) ENCALG(*DES)

RDB entries need to match the CHGDDMTCPA value and must be the same on production and backup systems.
 

Notes:

• You will not see RDB entries until you have created a sync attribute that uses remote journaling.
• If the ROBOTHA profile password changes, you need to update the Server Authority Entry. Run the CHGSVRAUTE to change the password.