DFS/SMB Setup for High

Availability Systems with DB2 for

z/OS and Windows Application
Servers

Applies to:
SAP Netweaver with DB2 for z/OS .
For more information, visit the Software Logistics homepage.

Summary
In a high availability (HA) installation with IBM DB2 for z/OS and SAP application servers on Windows,
directories on the mainframe are to be shared from Windows. This document is intended to help you in
setting up DFS/SMB explicitly for an SAP HA system on the mainframe.

Author: Dr. Christian Schaefer

Company: SAP AG
Created on: 17 October 2008

Author Bio
Dr. Christian Schaefer is Development Architect at the joint SAP/IBM platform team and has
over 23 years of experience in SAP on IBM mainframes. He joined the SAP in 1985. He worked
on the interfaces of SAP R/2 to CICS and MVS. He holds a DSC in Theoretical Physics from the
University of Heidelberg, Germany. Christian can be reached at christian.schaefer@sap.com .

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 1
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Table of Contents
DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers ..............3
Procedure........................................................................................................................................................3
Export Mainframe File Systems ......................................................................................................................4
Define Shared Directories ...............................................................................................................................5
Map SMB User IDs to z/OS User IDs .............................................................................................................6
Select Method for User Authentication Without Prompting the User for a Password.....................................6
Pass-through Authentication ........................................................................................................................................6
RACF DCE Segments for SMB Encrypted Password Support ....................................................................................7
Define Environment Variables ........................................................................................................................7
Windows Vista, Windows Server 2008 ...........................................................................................................8
Related Content..................................................................................................................................................9
Copyright...........................................................................................................................................................10

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 2
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows
Application Servers
In a high availability (HA) installation with IBM DB2 for z/OS and SAP application servers on Windows, the
following run on the z/OS mainframe server: the DB2 database, the SAP central services for ABAP and Java
(ASCS and SCS, respectively), as well as the enqueue replication server (ERS). The SAP global host of
such a system is the mainframe. The SAP directories located on the mainframe under "/usr/sap" must be
available to Windows through the share "/sapmnt" on Windows. This enables Windows to access the data
in "/usr/sap“ in USS on z/OS.

Unix Windows
/(root) <Computer>

usr \\<SAPGLOBALHOST>\sapmnt usr

sapmnt sap sap

<SID> <SID>
global
SYS
profile
global
exe
profil
exe

symbolic link

share

Figure: SAP Directories

You can use the IBM component DFS/SMB to share data between systems located on z/OS and Windows.
DFS/SMB is part of the z/OS operating system and implements the SMB protocol on z/OS, which allows
Windows applications to access data on the mainframe. This IBM component serves a similar purpose as
the open source SMB server samba.
This document is intended to help you in setting up DFS/SMB explicitly for an SAP HA system on the
mainframe. The target group for this information ideally possesses knowledge of SAP software and is very
familiar with Unix System Services (USS) on the mainframe. For a general description of the DFS/SMB
setup, see the IBM documentation "z/OS Distributed File Service SMB Administration“.

Procedure
The following steps must be carried out to setup DFS/SMB:
• Export mainframe file systems
• Define shared directories
• Map SMB user IDs to z/OS user IDs
• Select method for user authentication without prompting the user for a password
• Define environment variables

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 3
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

To carry out these steps, you must modify several DFS/SMB tables located in the directory
"/opt/dfslocal/var/dfs". We indicate the location of the configuration files in the directory "/opt".
These are symbolic links, as seen in the following output of the "ls" command:
csh:/etc/dfs/home/dfskern> ls -l /opt
total 0
lrwxrwxrwx 1 STC OMVSGRP 10 Jul 30 13:19 dcelocal -> ../etc/dce
lrwxrwxrwx 1 STC OMVSGRP 21 Jul 30 13:19 dfsglobal -> ../usr/lpp/dfs/global
lrwxrwxrwx 1 STC OMVSGRP 10 Jul 30 13:19 dfslocal -> ../etc/dfs

Export Mainframe File Systems

To share data on the mainframe with computers running on Windows, you must use DFS/SMB to export the
file systems that contain the data in question. The following figure displays file systems and their directories
on USS. Windows accesses the directories in "/usr/sap“ in USS by using the share "sapmnt“. In the
example below, these directories are located in file system LOCAL.USR.SAP. That is the reason why you
must export this file system.
There are absolute symbolic links in "/usr/sap" to directories in the USS directory "sapmnt“. It is for that
reason that you must export the LOCAL.SAPMNT dataset, since the linked directories are located there.
Since the absolute links begin with a slash (/), you must export the file system of the root directory
OMVS.ROOT. However, the export does not allow access to this OMVS.ROOT file system. You must
explicitly define shares for access purposes.

OMVS.ROOT
/

sapmnt usr

sap

LOCAL.SAPMNT LOCAL.USR.SAP

Example: SAP directories and file systems under USS

To export the file systems, you define them in DFS/SMB in the tables "devtab“ and "dfstab“. These tables
are located in "/opt/dfslocal/var/dfs".

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 4
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

HFS datasets are exported in “devtab“. These datasets are assigned unique minor device numbers that can
be chosen at will. Our example could be as follows:

*
define_ufs 3
LOCAL.USR.SAP auto
*
define_ufs 4
LOCAL.SAPMNT auto
*
define_ufs 5
OMVS.ROOT auto
Example: „devtab“ Entries

"dfstab" contains a list of the file systems that you need to have exported. The following displays the
„dfstab“ entries of file systems that need to be exported with their respective minor device numbers:

/dev/ufs3 hfs3 ufs 3 0,,3

/dev/ufs4 hfs4 ufs 4 0,,4
/dev/ufs3 hfs5 ufs 5 0,,5
Example: „dfstab“ Entries

You can find a detailed description of the entries contained in "devtab" and "dfstab" in the IBM
documentation "z/OS Distributed File Service SMB Administration“.

Define Shared Directories

In "smbtab", you define those directories that you want to share. We must be able to access the directory
"/usr/sap" and its subdirectories under the share name "/sapmnt". We only need one entry in "smbtab"
to make this possible:

# /usr/sap
/dev/ufs3 sapmnt ufs "Description of the share" r/w 0 /
Example: „smbtab“ Entry

The absolute links in "/usr/sap" that point to other file systems can now be resolved by DFS/SMB, since
we exported the corresponding file systems in the tables "devtab“ and "dfstab“.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 5
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Map SMB User IDs to z/OS User IDs

PC users work on their PCs with a Windows user ID. When accessing the mainframe using DFS/SMB, this
Windows user ID becomes your SMB user ID. You must map the SMB user IDs of the clients to z/OS user
IDs, since the local security subsystem (for example, RACF) does not know SMB user IDs. You can map the
user IDs with the file "smbidmap" that is located under "/opt/dfslocal/var/dfs". For an SAP
Installation, the following users must be mapped to each other:

SMB(Windows) user ID z/OS user ID

SAPService<SID> <SID>adm
<SID>adm <SID>adm
Administrator <root> (SAP installation user)

Where:
<SID> is the system ID of your SAP system
<root> is the USS user ID, with which the SAP instances are installed on z/OS USS.
The corresponding entries in "smbidmap" are as follows:
SAPService<SID>
<SID>adm

<SID>adm
<SID>adm

Administrator
<root>

Example: “smbidmap” Entries

Each entry has two lines. The first line contains the SMB (Windows) user ID, the second line the z/OS user
ID. The blank lines have been inserted to improve readability. For a detailed description of the "smbidmap“
file, see the IBM documentation "z/OS Distributed File Service SMB Administration“.

Select Method for User Authentication Without Prompting the User for a Password
To ensure that an application server can access USS directories without user intervention, DFS/SMB
supports two different methods of user authentication: pass-through authentication and RACF DCE
segments for SMB encrypted password support.

Pass-through Authentication
This method does not use RACF for authentication. Instead, DFS/SMB uses a domain controller to
authenticate PC users. The user must be registered with the domain controller. There is no password
verification on the mainframe. In order to change your password in the system, you only have to change it in
the domain controller—no other tasks are necessary in USS to ensure that the user is accepted by the
system. To accomplish user authentication, DFS/SMB uses the NTLM authentication protocol. Therefore, the
domain controller must allow you to use NTLM. For more information, see the IBM documentation "z/OS
Distributed File Service SMB Administration“.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 6
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

RACF DCE Segments for SMB Encrypted Password Support

This method uses RACF. In order to enable DFS/SMB to use encrypted passwords, you must configure
„SMB encrypted password support“ for each z/OS user that is mapped to a corresponding Windows user.
You must establish a RACF DCE segment for each of these z/OS users. For more information on the
necessary steps, see IBM documentation "z/OS Distributed File Service SMB Administration". Using the
RACF DCE segment does not imply that DCE needs to be active.
In an SAP system, you must carry out this process for the users <SID>adm and <root>. To enable the SMB
server to use encrypted passwords, set the _IOE_SMB_CLEAR_PW dfskern environment variable to
_IOE_SMB_CLEAR_PW=NOTALLOWED (see section Defining Environment Variables).
In this case, there is an SMB password. This password must be identical to the password of the Windows
login user. This password is set with the USS command "smbpw". Therefore, you must log on as <SID>adm
in USS and enter the command:
"smbpw <windows_password> <windows_password>"
to set the SMB password of the user <SID>adm. You must carry out this step once again for the user
<root>.
Each time the password of a Windows login user is changed, you must log on with this user to USS on the
mainframe and change the corresponding SMB password to match the new password. You can do this by
entering the USS command "smbpw <windows_password> <windows_password>".

Define Environment Variables

In the "envar" file in "/opt/dfslocal/var/dfs", you must set environment variables for DFS/SMB.
These are as follows:
# set SMB sharing on:
_IOE_PROTOCOL_SMB=ON
# switch DCE RPC sharing off:
_IOE_PROTOCOL_RPC=OFF
# if shared HFS is used:
_IOE_MOVE_SHARED_FILESYSTEM=ON
# for use of encrypted passwords:
_IOE_SMB_CLEAR_PW=NOTALLOWED
# enable absolute links:
_IOE_SMB_ABS_SYMLINK=ON
# provide user mapping:
_IOE_SMB_IDMAP=/opt/dfslocal/var/dfs/smbidmap
# write error messages to console
_EUV_SVC_MSG_LOGGING=CONSOLE_LOGGING
# if DCE is not used:
_EUV_AUTOLOG=NO
# if encryption hardware is not to be used:
_IOE_SMB_OCSF=OFF
# make full use of file tagging (ASCII – EBCDIC):
_IOE_HFS_FILETAG=SET
Table: Necessary Environment Variables

(Lines beginning with the pounds sign (#) are comments.)

This list contains only those environment variables that you must set. Depending on the parameter
configuration of the DFS or Windows systems, you may have to set other environment variables also.
Regarding the environment variable _IOE_DYNAMIC_EXPORT: If you assign the value "ON" to this variable,
all file systems on USS that are accessed from Windows automatically receive minor device numbers from
DFS/SMB and are exported. This is even the case if a file system is not listed in "devtab" and "dfstab".

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 7
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Since this makes it difficult to track which file systems have been exported, we are not going to elaborate on
this topic in this document.
For an exact description of all related environment variables, see the IBM documentation "z/OS Distributed
File Service SMB Administration“.

Windows Vista, Windows Server 2008

DFS/SMB uses the NTLM authentication protocol. However, as a default, Windows Vista and Windows
Server 2008 send NTLMv2 responses. This does not initialize the connection to DFS/SMB. In order to
initiate a connection, the default on NTLM must be set down to the first NTLM level. This reduces the
security level for all SMB network connections.
To change the defaults, carry out the following steps:
1. Open "Local Security Policy" under "Administrative Tools". Alternatively, you can choose the Windows
button + R, or Start -> Run. Then, enter "secpol.msc".
2. Under “Security Options”, open "Network Security: LAN Manager Authentication Level".
3. Change the setting "NTLMv2" to "Send NTLM response only"

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 8
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Related Content
z/OS Distributed File Service SMB Administration
High Availability for SAP on zSeries Using Autonomic Computing Technologies
SAP Planning Guide for SAP NetWeaver for IBM DB2 UDB for z/OS
For more information, visit the Software Logistics homepage.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 9
 DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Copyright
© 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries,
zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere,
Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of
IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All
other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may
result from the use of these materials.
SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these
materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and
does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.
Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be
used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of
certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors
or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2008 SAP AG 10