Function level 505 (APAR PH59534 - April 2024)
Function level 505 introduces token-based authentication, temporal support for security-related catalog tables, a new trace destination for Db2ZAI, the INTERPRET function.
Contents
New token-based authentication capability
Temporal support for security-related catalog tables
| Enabling APAR: | PH59534 |
|---|---|
| Full identifier: | V13R1M505 |
| Catalog level required: | V13R1M505 |
| Product identifier (PRDID): | DSN13016 |
| Incompatible changes: | None |
New capabilities in function level 505
Function level 505 activates the following new capabilities in Db2 13.
- New token-based authentication capability
-
Starting in function level 505, Db2 supports token authentication by using the RACF® Identity Token (IDT) capability. You can enable Db2 to send and receive an authentication token in a connection request without any other credentials.
For more information, see the following related topics:
- Enabling Db2 for token authentication
- Enabling Db2 to send authentication tokens
- Enabling Db2 to receive authentication tokens
APAR PH55599 delivered the functional code for enabling Db2 for token authentication. This new function also requires the following RACF/SAF APARs for IDT2 support:
- Temporal support for security-related catalog tables
-
Function level 505 provides the ability to access information about the authorizations and privileges that were in place for Db2 objects and users at a point in time in the past. This information can be a useful source of evidence for security auditing purposes.
Temporal support is implemented through the use of history tables that are associated with their corresponding catalog tables. For more information, see Temporal support for security-related catalog tables.
APAR PH59531 delivered the functional code for temporal support for security-related catalog tables.
- New trace destination for Db2ZAI
-
Function level 505 introduces a new trace destination, ZAI, that is used by some Db2ZAI Distributed Connection Control (DCC) related traces. DCC traces are processed for connection and thread related statistics and bypass writing to SMF unless the trace was started with DEST(SMF).
For more information, see the following related topics:
APAR PH56369 delivered the functional code for the trace destination for Db2ZAI.
- INTERPRET scalar function
-
Function level 505 introduces the INTERPRET built-in function, which takes an expression that returns a built-in binary or character FOR BIT data string as its first operand and interprets it as the specified data type. The INTEPRET function is especially useful for converting hexadecimal values that identify data rows in many Db2 error messages into BIGINT values that can be used as input to the RID built-in function.
The following table shows example results from various invocations of the INTERPRET function.
Function invocation Result value INTERPRET(BX'00000011' AS INTEGER)17 INTERPRET(BX'0000000000B0370D' AS BIGINT)11548429 INTERPRET(BX'616263' AS CHAR(3) CCSID 37)/ÃÄ INTERPRET(BX'616263' AS CHAR(3) CCSID 1208)abc INTERPRET (BX'0005C1C2C3C4C5' AS VARCHAR(5))ABCDE INTERPRET(BX'0003C1C2C3C4C5' AS VARCHAR(5))ABC INTERPRET(BX'0007C1C2C3C4C5' AS VARCHAR(7))Error For more information, see the following related topics:
APAR PH59595 delivered the functional code for the INTERPRET function.
V13R1M505 application compatibility
Most new SQL capabilities become available only to applications that use the equivalent application compatibility (APPLCOMPAT) level or higher. For a list, see SQL changes in Db2 13 application compatibility levels.
For more information about application compatibility levels, see Controlling the Db2 application compatibility level.
How to activate function level 505
The following steps summarize the process for activating this function level. To learn more about how to activate and control the adoption of new capabilities available for use in your Db2 13 environment and continuous delivery in general, see Adopting new capabilities in Db2 13 continuous delivery.
To activate function level 505, complete the following steps:
- If Db2 13 is still at function level 100, activate function level 500 first. For more information, see Activating Db2 13 function level 500 or higher.
- Generate tailored JCL jobs for the CATMAINT and function level activation steps.
You can use the DSNTIJBC batch job or the Db2 installation CLIST.
Tip: You can avoid working through the Db2 installation CLIST panels in interactive mode by running a batch job with valid input files to generate the required JCL jobs and input files with a background process. See Generating tailored Db2 migration or function level activation jobs in the background.To generate the required JCL jobs and input files with a background process, complete the following steps:- Customize the DSNTIDOA parameter override file by following that instructions in the file.
- Customize the DSNTIJBC job. For example, if prefix.SDSNSAMP(DSNTIDOA) is the customized parameter override file, you can specify the following values in the IPSTART command in DSNTIJBC.
ISPSTART CMD(%DSNTINSB + OVERPARM(prefix.SDSNSAMP(DSNTIDOA)) + ) BREDIMAX(1) - If you use Db2 Value Unit Edition, you must also provide the data set name of the DSNTIDVU parameter override file in the IPSTART command in the DSNTIJBC job, as shown in the following example, where prefix.SDSNSAMP(DSNTIDVU) is the customized OTC LICENSE file.
ISPSTART CMD(%DSNTINSB + OVERPARM(<prefix>.SDSNSAMP(DSNTIDOA)) + OTCLPARM(<prefix>.SDSNSAMP(DSNTIDVU)) + ) BREDIMAX(1) - Submit the customized DSNTIJBC job.
To generate the required JCL jobs and input files with the Db2 installation CLIST in interactive mode, complete the following steps:- In panel DSNTIPA1, specify INSTALL TYPE ===> ACTIVATE. Then, specify the name of the output member from the previous function level activation (or migration) in the INPUT MEMBER field, and specify a new member name in the OUTPUT MEMBER field.
- In panel DSNTIP00, specify the current function level and TARGET FUNCTION LEVEL ===> V13R1M505. The Db2 installation CLIST uses this value when it tailors the ACTIVATE command in the DSNTIJAF job and the CATMAINT utility control statement in the DSNTIJTC job.
- Proceed through the remaining Db2 installation CLIST panels, and wait for the Db2 installation CLIST to tailor the jobs for the activation process. The output data set contains the tailored jobs for the activation process. For more information, see The Db2 installation CLIST panel session.
- Ensure that no incompatible applications will interfere with the catalog update. For details, see Identifying applications that are incompatible with catalog updates.
- Update the catalog and verify the changes for function level 505 by completing the following steps:
- Run the tailored DSNTIJTC job, or run the CATMAINT utility with LEVEL V13R1M505, to update the catalog to the appropriate catalog level. If multiple catalog updates are required, the CATMAINT job processes each update in sequential order. If a later update in the sequence fails, the previous successful updates do not roll back, and the catalog level remains at the highest level reached. If that occurs, you can correct the reason for the failure and resubmit the same CATMAINT job.
- If the CATMAINT utility jobs from the previous step placed any altered Db2 catalog objects in REORG-pending (AREO*) advisory status, run the REORG utility for those objects.
- Run the generated DSNTIJX2 job to run the CHECK INDEX utility for Db2 catalog and directory indexes for new objects created in Db2 13.
- Check that Db2 is ready for function level activation by issuing the following ACTIVATE command with the TEST option:
Db2 issues message DSNU757I to indicate the results. For more information, see Testing Db2 function level activation.-ACTIVATE FUNCTION LEVEL (V13R1M505) TEST - Run the tailored DSNTIJAF job, or issue the following ACTIVATE command:
-ACTIVATE FUNCTION LEVEL (V13R1M505) - If you are ready for applications to use new capabilities in this function level, rebind them at the corresponding application compatibility level. For more information, see Controlling the Db2 application compatibility level. Optionally, when you are ready for all applications to use the new capabilities of the target function level, you can run the following jobs:
- Run DSNTIJUZ to modify the subsystem parameter module with the APPLCOMPAT value that was specified on panel DSNTIP00.
- Run DSNTIJOZ job to issue SET SYSPARM command to bring the APPLCOMPAT subsystem parameter changes online.
- Run DSNTIJUA job to modify the Db2 data-only application defaults module with the SQLLEVEL value that was specified on panel DSNTIP00.