Security for DB2

In the CICS® DB2® environment, there are four main stages at which you can implement security checking.

The four stages are:
  • When a CICS user signs on to a CICS region. CICS sign-on authenticates users by checking that they supply a valid user ID and password.
  • When a CICS user tries to use or modify a CICS resource that is related to DB2. This could be a DB2CONN, DB2ENTRY or DB2TRAN resource definition; or a CICS transaction that accesses DB2 to obtain data; or a CICS transaction that issues commands to the CICS DB2 attachment facility or to DB2 itself. At this stage, you can use CICS security mechanisms, which are managed by RACF® or an equivalent external security manager, to control the CICS user's access to the resource.
  • When the CICS region connects to DB2, and when a transaction acquires a thread into DB2. Both the CICS region and the transaction must provide authorization IDs to DB2, and these authorization IDs are validated by RACF or an equivalent external security manager.
  • When a CICS user tries to use a CICS transaction to execute or modify a DB2 resource. This could be a plan, or a DB2 command, or a resource that is needed to execute dynamic SQL. At this stage, you can use DB2's security checking, which is managed either by DB2 itself, or by RACF or an equivalent external security manager, to control the CICS user's access to the resource.

You can also use RACF, or an equivalent external security manager, to protect the components that make up CICS and DB2 from unauthorized access. You can apply this protection to DB2 databases, logs, bootstrap data sets (BSDSs), and libraries outside the scope of DB2, and to CICS data sets and libraries. You can use VSAM password protection as a partial replacement for the protection provided by RACF. For more information, see CICS system resource security.

Note: RACF is referred to here as the external security manager used by CICS. Except for the explicit RACF examples, the general discussion applies equally to any functionally equivalent non-IBM® external security manager.
Figure 1 shows the security mechanisms involved in a CICS DB2 environment.
Figure 1. Overview of the CICS DB2 security mechanisms
Four security mechanisms are shown: CICS security, DB2 security, RACF (resource access control facility), and VSAM security. CICS security, in the CICS address space, authenticates users at sign-on, and checks that users are authorized to use transactions. DB2 security or RACF, in the DB2 address space, checks users' authority and privileges with respect to DB2 objects (such as plans and tables). RACF, which is optional, can be used to verify that a CICS system is allowed to connect to DB2; to authenticate a user at sign-on to CICS; to check that CICS users are authorized to use transactions; and to protect CICS and DB2 data sets and libraries from unauthorized access. VSAM security, which is optional, uses VSAM passwords to protect table spaces, VSAM catalogs, DB2 system data sets and DL/I database VSAM data sets.