I ran across an error while doing some testing with Session Integrator in a distributed deployment scenario. By “distributed deployment”, I am referring to a deployment where you have a Session Integrator application running on a system that does not host the 3270 or LUA LUs that the application is using to communicate with the mainframe. The LUs are defined on another HIS Server system which is also the system where the Session Integrator Server service is running that the SI application will be using. The following is an example of the 2 server deployment scenario:

Application Server

• HIS 2013 Server
  • Configured with a Role of Secondary Configuration Server or Use Remote SNA Gateway
• Session Integrator application

HIS Server (SNA Gateway)

• HIS 2013 Server
  • Configured with a Role of Primary Configuration Server
    • This HIS 2013 Server doesn’t have to be the Primary Configuration Server if there are other HIS Servers in the HIS Subdomain, but it is for this example.
  • Host connection(s) to the IBM mainframe
  • LUs (either 3270 or LUA, depending on what you use in your environment) that the SI application will use to communicate with the mainframe application.

In this sample deployment, the SI application running on the Application Server uses the Session Integrator Client (SI Proxy) components of the Session Integrator feature to communicate with the Session Integrator Server service that us running on the backend HIS 2013 Server that hosts the LU(s) used to communicate with the mainframe application.

When I setup this type of environment and ran the LU0NET Session Integrator application included in the HIS 2013 SDK, the following error was displayed:

I knew for a fact that the LU that I was trying to connect to was available, so I started into normal troubleshooting to see what might be happening. Since Session Integrator uses DCOM to communicate between the Session Integrator Client and Session Integrator Server components, my first thought was that this might be happening due to a permission issue such as what I described in my Why does Session Integrator log Event ID 6 and Event ID 24 warnings? blog post. It turns out that this was not the cause of the problem. My next step was to enable Session Integrator Client traces via the HIS Trace Utility (histrace.exe) to see what might be happening. After I reproduced the problem with the traces enabled, I took a look at the Session Integrator Client internal (sicint1.atf) trace and I found the following trace statements when the SI Client was trying to connect to the SI Server service:

Try to create server object on SJACKHIS20131

Got handle 1ae66418 from server
Client providing cookie 0xa0a0a0a1

Failed to create session on SJACKHIS20131, hr = 800706ba

The 800706ba return code indicates RPC_S_SERVER_UNAVAILABLE. This indicated to me that the remote server where the SI Server service was running was not listening or not allowing communication over the network protocol/port being used. Therefore, I captured a network trace of the problem using Network Monitor to see what was happening on the network. What I found was that the Application Server was sending a TCP/IP Syn request to the remote HIS 2013 Server, but no response was being received. The Syn request was resent two additional times per the default TCP/IP retry behavior and then the connection attempt failed. This resulted in the error being displayed by the SI application.

This behavior led me to looking at the Windows Firewall settings on the two HIS 2013 Server systems.

First, I went to the HIS 2013 Server where the SI Server service was being used. The HIS specific firewall rules were enabled, but HIS doesn’t create a specific rule for the Session Integrator Server service. I decided to manually create an Inbound Rule for SIServer.exe (Session Integrator Server service) to allow TCP traffic over all ports to the HIS 2013 Server system to see if that would correct the problem.

Second, I went to the Application Server to modify the Windows Firewall settings to allow the Firewall to “Display a notification” when the firewall blocks a program from receiving inbound connections as shown here:

I did this just to see if I would see any messages when running the SI application.

After making these changes on the two servers, I ran the SI application again. The firewall on the Application Server displayed a popup message when I ran the SI application (LogonScriptClient.exe in this case) as shown here:

After clicking Allow access, the firewall adds two new inbound rules (one for TCP traffic and one for UDP traffic) for this application.

After enabling the new firewall rules, the SI application was able to connect to the SI Server service and it was able to connect to the mainframe application using the LU that was specified in the SI application configuration.

The summary is that to allow this type of Session Integrator distributed deployment to work, you may need to do the following depending on your firewall settings in your environment:

• Setup a firewall rule for the Session Integrator Server service to allow incoming TCP traffic from Session Integrator Clients that are running SI applications in the network.
• Setup firewall rules for the SI application on the Application Server to allow incoming connections for the application.

If the Session Integrator application and the Session Integrator Server service are running under different user accounts, then you may also need to setup the DCOM permissions as outline in the other blog post I referenced above.

Based on feedback from both internal and external sources regarding questions about what the latest updates (fixes) are for both Host Integration Server and the Microsoft OLE DB Provider for DB2 (which is included SQL Server Feature Packs), I created a page that lists the current updates fro these products.

I added the link to the Update Center for Microsoft Host Integration Server and Microsoft OLE DB Provider for DB2 page to the Host Integration Server Developer Center.

The goal is that the page will be updated when we release new Cumulative Updates for HIS and new fixes for the OLE DB Provider for DB2.

Hopefully, this new resource will be useful.

Host Integration Server uses two security groups to implement its security model.  The goal of the security model is to allow the runtime and administrators access to the appropriate HIS resources, but limited to only those resources.  This allows our runtime and administrators to operate as minimum privileged accounts (without the need to have local administrator or act as part of the operating system rights).

HIS Administrators group

This groups grants users the rights to manage and configure Host Integration Server.  The HIS Administrators group has the following rights:

• Rights to start and stop the HIS services
• Read/Write access to the HIS configuration
• Can be granted access to enable HIS traces by the local administrator

HIS Runtime group

This groups grants the HIS service account the rights needed by the Host Integration Server services.  The HIS Runtime group has the following rights:

• Run as a service
• Generate security audits
• Read/Write access to the HIS configuration
• Rights to generate traces

The following table contains various information about several versions of the DB2 Providers included with Host Integration Server (HIS) as well as the Microsoft OLE DB Provider for DB2 (DB2OLEDB) included in SQL Server Feature Packs.

As a side note for those that might not be aware, the Microsoft OLE DB Provider for DB2 included with SQL Server Feature Packs is based on the OLE DB Provider for DB2 that is included with Host Integration Server.

Here is an explanation of the information in each column of the table:

• Product – The product for which the rest of the row information applies to. For example, DB2OLEDBv1 is the Microsoft OLE DB Provider for DB2 V1.0 that was included in the SQL Server 2005 Feature Pack.
• File Version – This indicates the released file version of the DB2 Provider. If you were to install the Microsoft OLE DB Provider for DB2 V5.0 (DB2OLEDBv5) from the SQL Server 2014 Feature Pack, you would find that the file version of msdrda.dll is 9.0.2148.0.
• Supported for fixes? – This information indicates if the specific version is still in Mainstream support, which means that new fixes can still be provided for that version. “No” indicates that new fixes cannot be provided for that version. If the column contains a date, that is the date that the product transitions from Mainstream Support to Extended Support at which time new fixes will no longer be done.
• Dependent Product’s Lifecycle – This column lists product to which the DB2 Provider version’s lifecycle is associated with. This is pretty obvious for the DB2 Providers included with HIS because the HIS lifecycle applies. For the SQL Server Feature Provider versions, the lifecycle is associated with the lifecycle of the specific SQL Server version that that DB2 Provider was included with. The links take you to the product’s lifecycle information on http://support.microsoft.com/lifecycle.
• DB2 for z/OS (Mainframe) – The versions of IBM DB2 for z/OS supported by this version of the DB2 Provider.
• DB2 for iSeries (AS/400) – The versions of IBM DB2 for iSeries (AS/400) supported by this version of the DB2 Provider.
• DB2 for LUW (Linux, Unix, Windows) – The versions of IBM DB2 for LUW supported by this version of the DB2 Provider.

* The DB2 Providers included with HIS 2010 were not supported for use with IBM DB2 for z/OS V10 or IBM DB2 for iSeries V7R1 when HIS 2010 was released. Support for these two DB2 versions was added later. We recommend that you have the current HIS 2010 Cumulative Update (CU) applied when integrating with these DB2 versions. As of June 2014, the current HIS 2010 CU is CU9.

You can refer to the Update Center for Microsoft Host Integration Server and Microsoft OLE DB Provider for DB2 to see the latest updates for HIS and the DB2OLEDB providers.

In addition, please refer to the Microsoft Support Lifecycle site for details on the various lifecycle stages.

For any of you running HIS 2009 in your environments, you should be aware that HIS 2009 has entered the Extended Support phase of its lifecycle as of July 8, 2014.

When a product is in Extended Support, it means that Microsoft Support still provides support, but new hotfixes will no longer be created for any new issues that are identified as bugs. In order to get new hotfixes, you would need to purchase an extended support contract.

The HIS 2009 lifecycle is available at http://support.microsoft.com/lifecycle/?p1=14033.

One final Cumulative Update (CU7) will be released for HIS 2009. The exact release date is not finalized, but it is targeted for sometime in August. The CU7 update will include fixes for HIS 2009 that have been done since HIS 2009 CU6.

If you are using HIS 2009, you should start planning on a plan to move a newer version.

Thanks…

The Host Integration Server Product Team has just released the seventh and final Cumulative Update (CU) for HIS 2009. The cumulative update model is used to package and release product fixes on a more consistent schedule.

HIS 2009 CU7 includes all released fixes for HIS 2009, including all the fixes included in the six previous HIS 2009 cumulative updates. HIS 2009 CU7 includes nine new fixes. Details on the included fixes can be found in the following Knowledge Base article:

2975320 Cumulative Update 7 for Host Integration Server 2009

You can download HIS 2009 CU7 via the Hotfix Download Available link in the KB article. You would need to download the CU7 package that matches the HIS 2009 version (x86 or x64) that you have installed.

As noted above, this is the final Cumulative Update for HIS 2009 because HIS 2009 moved to Extended Support as of July 8, 2014. Please refer to the HIS 2009 lifecycle page for details.