Category: Host Integration Server 2006


Be aware that:

  • HIS 2006 uses the old Client Context (array of objects)
  • HIS 2010 uses the new Client Context with many new features
  • Converting from HIS 2006 to HIS 2010 using the TIConverterTool : you can still use the old HIS 2006 Client Context.
  • If you recreate or resave a TI Object on HIS 2010, you will have to use the new HIS 2010 Client Context.

Always keep this in mind if you are in a migration process from HIS 2006 to HIS 2010.

You have a computer that is running Microsoft Host Integration Server 2006 or Host Integration Server 2004. When you configure the computer to use an IP-DLC link service to communicate with an IBM mainframe, an access violation may occur in the snaipdlc!nba_mm_free function. This problem can occur when a network outage occurs between the Host Integration Server system and the IBM mainframe.

When this problem occurs, the IP-DLC link service cannot reestablish a connection to the IBM mainframe until the SNA Server service (Snaservr.exe) is stopped and restarted.

Additionally, event messages that resemble the following event messages are logged in the Application log:
Event message 1

Event ID: 590
Source: SNA IP-DLC Link Service
Description: Failed to contact a DLUS for PU. Retry count exceeded. PU name = @C000001
Event message 2

Event ID: 624
Source: SNA Server
Description: Creating dump file E:\Host Integration Server\traces\snadump.log for snalink.exe
Event message 3

Event ID: 23
Source: SNA Server
Description: Connection Failure
Connection = ConnectionName
Link Service = SNAIP1
Outage Code = 00AE
Event message 4

Event ID: 4097
Source: DrWatson
Description: The application, , generated an application error. The error occurred on Date @ Time. The exception generated was c0000005 at address MemoryAddress (<nosymbols>)

Download Link : http://support.microsoft.com/kb/930044

In Microsoft Host Integration Server 2006 and in Microsoft Host Integration Server 2004, you may notice that some Advanced Program-to-Program Communications (APPC) session requests are sent to an IBM host system over an IP-DLC connection. This behavior occurs even if the specified remote APPC logical unit (LU) for the APPC application or for the Common Programming Interface for Communications (CPI-C) application is not defined.

The expected behavior is that APPC session requests are sent to the IBM host system over one of the host or peer connections that have a remote APPC LU that is defined in SNA Manager.

If an APPC session request is sent over a host or peer connection to an IBM host system that does not have the specified remote APPC LU defined, the IBM host system rejects the session request and sends a BIND-RSP error response.

Download Link : http://support.microsoft.com/kb/925127

Host Integration Server uses a client\server interface to provide secure connections for client to server and server to server communication. Enforcing authentication on the client/server interface provides the following benefits:

  • Access to resources (e.g. 3270 LUs) is granted based on user account or group membership
  • Message encryption, detection of replayed packets, detection of messages received out of sequence, mutual authentication, & signed messages and verified signatures.
  • Integration with Windows security
  • Support for SSO (Single Sign-On)

The following authentication (logon) methods are supported in HIS :

  • NTLM
  • Kerberos

NTLM authentication has been supported in Host Integration Server for quite some time (going back to the SNA Server days). Kerberos authentication was added in HIS 2006.

The HIS 2006 Client will always try to use Kerberos if the target HIS 2006 server is setup to use Kerberos. If Kerberos is not enabled, NTLM authentication will be used.

In order to configure the HIS 2006 Servers for Kerberos authentication, you have to set a Server Principal Name (SPN) for each HIS 2006 Server.

The SETSPN utility can be used to create the SPN. Please refer to the following for more details on the SETSPN utility:

http://technet.microsoft.com/en-us/library/cc773257.aspx

The following is the correct syntax to use when creating the SPN for HIS 2006 Servers:

setspn –A HISSERVICE/<HIS 2006 Server name> <domain>\<HIS 2006 Service account>

HISSERVICEis the Service Class that has been chosen for HIS 2006.

You will need to run this command once for each HIS 2006 Server that you want to enable Kerberos support for.

If you want to create a SPN for a HIS 2006 Server named HISSERVER1 that was configured to use DOMAIN1\HIS_Service as the service account for the HIS services, the correct SETSPN syntax is as follows:

Setspn –A HISSERVICE/HISSERVER1 DOMAIN1\HIS_Service

Note: Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.

The HIS 2006 client takes the Service Class (HISSERVICE) and the name of the target HIS Server (Sponsor server or application server) and forms the SPN that it will try to validate. A request is then sent to a Domain Controller to find out if the SPN name is registered. If the SPN name is registered, it is returned to the HIS 2006 Client and Kerberos authentication will be used.

The following is a basic sequence of events that occurs during a HIS 2006 Client logon using Kerberos:

1. The HIS Client DMOD calls AcquireCredentialsHandle() with “Negotiate” for the security package name.

2. InitializeSecurityContext() provides the Server Principal Name (SPN) for the target server.

3. The client then sends a Ticket Granting Ticket (TGT) and a session ticket request to the Key Distribution Center (KDC).

4. The HIS 2006 client then presents the session ticket to the target server during connection setup.

5. The HIS Server DMOD calls AcquireCredentialsHandle() with “Negotiate” for the security package name.

6. The HIS Server DMOD calls AcceptSecurityContext().

7. The session ticket is then verified.

If SnaBase is running as an application (as opposed to as a Windows service) on a HIS 2006 client, you can put the mouse cursor over the SnaBase Systray icon to determine if Kerberos or NTLM authentication is being used. If the mouse cursor is moved over the SnaBase icon, you may see something similar to the following:

Host Integration Server – <HIS Server Name> (NTLM) (Secure)

<HIS Server Name>would actually contain the name of the HIS 2006 Server that the client has connected to as its sponsor server. The authentication method is then shown next in parentheses and will be either NTLM or Kerberos. Finally, the (Secure) value indicates that HIS client/server encryption is enabled.

If SnaBase is running as a Windows service on the HIS 2006 Client, a SnaBase Systray icon will not be present, so this method for determining the sponsor server, authentication method, and encryption setting is not available. You’d have to use HIS traces using snatrace.exe to capture the startup of the SnaBase process and/or SNA application to see this information.

You may see many of the following warnings on the Microsoft Host Integration Server:

Log Name:      Application
Source:        SNA Base Service
Date:          xxxxxxxx
Event ID:      561
Task Category: None
Level:         Warning
Keywords:      Classic
User:          xxxxxxxx
Computer:      xxxxxxxx
Description:
Write to mailslot or socket failed, rc = 64

 EXPLANATION

 A Win32 WriteFile() or winsock sendto() call failed. The return code is shown.

 ACTION

 Provide network support personnel with the event log file(s) related to SNA, and the return code included in this message. For information about SNA log files, see the "Microsoft Host Integration Server Online Books.

Microsoft Host Integration Server tries to communicate with all servers/clients in a subdomain using broadcasts messages. It does this over all protocols that are selected in the SNA Manager.
Not all of these protocols are enabled on your network, if one of them is not enabled this warning will pop up.
To fix this warning unselect the protocol that causes the warning as shown in the screenshot below:
 
Normally you should have enabled only TCP/IP. The warning will disappear after you have unchecked the Named Pipes.

If you are currently running HIS 2004 or HIS 2006 in a virtual environment or want to investigate the possibility of doing so, there is one potential performance issue that you need to be aware of if  you are using (or planning to use) the IP-DLC link service included with HIS 2004 and HIS 2006 to integrate with IBM Enterprise Extender on your IBM systems.

You may find that performance may suffer when using HIS and IP-DLC connections in a virtual environment if the applications being used require long running transactions and use large packet sizes. Unfortunately, I can’t provide any specifics around what defines a long transaction time and large packet sizes as it varies across environments. However, we do know that customers that use HIS 2004 or HIS 2006 in virtual environments where 3270 sessions are mainly used don’t seem to see any differences in performance when compared to running HIS on a real (non-virtual) hardware platform.

In instances where the performance was slower in a virtual environment, the applications that were in use were APPC (LU 6.2) applications that were moving a lot of data between the IBM mainframe and the HIS servers.  

I’m sure that the question that comes to mind is around why would the use of IP-DLC connections with HIS 2004 or HIS 2006 result in possible performance issues.

The answer to this question lies in understanding the High Performance Routing (HPR) extension to IBM’s APPN architecture. The intent of HPR was to improve APPN data routing performance and reliability. HPR uses an algorithm called Adaptive Rate-Based (ARB) flow/congestion control to determine the rate at which data will be sent across the APPN network. It does this in order to prevent flooding the network with data. You can read all about HPR (Chapter 8) and ARB (Chapter 9) in the following IBM document:

Inside APPN and HPR – The Essential Guide to New SNA
http://www.redbooks.ibm.com/abstracts/sg243669.html

ARB measures the time that it takes packets to go across the network. A subset of the packets (ARB segments) act as checkpoints containing the time in microseconds since the last checkpoint was sent from the point of view of the sender. The receiver can then compare that time with the time that it measures to determine if the network is slowing down. If ARB determines that the network is slowing down, it will reduce the rate at which is sends data. If ARB determines that the network congestion is clearing, it will increase the rate at which it sends data. This all makes sense assuming that the delays that ARB detects are related to network congestion.

As you can see the ARB algorithm is very sensitive to timing related issues. If there are timing issues on the system that is sending or receiving the data over the HPR connection, this can cause the ARB algorithm to reduce the rate that data is being sent. This is exactly what can occur when systems using APPN and HPR are running in a virtual environment. There can be delays as the data is passed to a virtual machine (VM) because of timing issues related to running in virtual environments.

The following is a link to an IBM FAQ that mentions this issue for HPR on a CS/Linux environment:

http://www-01.ibm.com/support/docview.wss?rs=1006&context=SSHQLW&dc=DB520&uid=swg21258181&loc=en_US&cs=UTF-8&lang=en&rss=ct1006other

The following is a link to an IBM readme that describes the same issue related to running IBM Communications Server in a virtual environment:

ftp://ftp.software.ibm.com/software/network/commserver/publications/cswin_613/readme.htm#6

As you can see, the potential performance problem can occur with any software that utilizes APPN and HPR to integrate with IBM Enterprise Extender when running in a virtual environment.

If you want to use HIS 2004 or HIS 2006 in a virtual environment using IP-DLC, you should make sure to thoroughly test all of the applications that will be used to make sure that the performance is comparable to that seen when using physical hardware.

An access violation may occur after you upgrade from HIS Server 2006 to HIS Server 2006 SP1.
 
An application that uses the Managed Provider for DB2 may not work correctly in a Host Integration Server 2006 SP1 environment.
 
In a Microsoft Host Integration Server 2006 Service Pack 1 (SP1) environment, when you try to run an application that uses the Managed Provider for DB2, the application does not work correctly. For example, you have an application that reads a record from a DB2 table. To do this, the application calls the DataReader.Read() method, and then the application checks the HasRows property. The application works correctly in a Host Integration Server 2006 environment. However, after you apply Service Pack 1 for Host Integration Server 2006, the application returns no data.
 
Host Integration Server 2006 Service Pack 1 is available now and provides the latest updates for Microsoft Host Integration Server 2006 and Microsoft BizTalk Adapters for Host Systems.
 
 
A list of the bugs that are fixed in Host Integration Server 2006 Service Pack 1 : http://support.microsoft.com/kb/979238