Securing the MONITOR database in DB2

You can enhance security on DB2® by granting the MONITOR database user only the privileges needed to access the MONITOR database objects. You can also remove administrative grants from database scripts and place grants on specific database objects that IBM® Business Monitor requires.

Before you begin

Following the instructions in Installing the MONITOR database manually (remote database), install the MONITOR database using the information in the following steps. This procedure assumes that DBUSER is entered in the User name field when the profile is created.
Note: You can create the database before or after the profile is created.

Procedure

  1. Create a user named DBUSER for DB2 using the same password that you entered when the IBM Business Monitor profile was created. This user will be a runtime database user for IBM Business Monitor and does not require database administrative privileges.
  2. Locate the DDL scripts.
    • Look in the app_server_root/dbscripts/Monitor directory for the scripts that are provided when IBM Business Monitor is installed.
    • If you used the profile creation function to generate scripts that include substituted variable values, look for the scripts in the output directory that you specified when you created the profile. By default, the output directory is app_server_root/profiles/profile/dbscripts/Monitor.
  3. For DB2, edit the scripts:
    1. Edit the createDatabase.sql file by removing the line "GRANT DBADM ON DATABASE TO @DB_USER@;". The grants required for the DBUSER are issued specifically for each table, view, and stored procedure in the next step.
    2. Edit the createTables.sql file . Replace the string "--GRANT STMT--" with "", which removes the comment indicators for each GRANT statement, allowing the statements to run in the next step.
  4. Run the scripts:
    • For DB2 on Linux, Unix, and Microsoft Windows, navigate to the directory that contains the createDatabase.sql script, and complete the following steps:
      1. Enter db2 -tf @createDatabase.sql.
      2. Enter db2 connect to MONITOR.
      3. Enter db2 -tf @createTables.sql.
    • For DB2 z/OS®, navigate to the directory that contains the database creation scripts, and complete the following steps:
      1. Enter db2 -tf @createDatabase_Monitor.sql.
      2. Enter db2 connect to MONITOR.
      3. Enter db2 -tf @createTablespace_Monitor.sql.
      4. Enter db2 -tf @createTable_Monitor.sql.
  5. To create the schema for the Monitor service integration bus data store, run the following script:
    • For DB2 on Linux, Unix, and Microsoft Windows:
      1. Navigate to the directory that contains the IBM Business Monitor messaging engine scripts.
      2. Enter db2 connect to MONITOR.
      3. Enter db2 -tf @DB2-distributed-SibME.sql.
    • For DB2 z/OS:
      1. Navigate to the directory that contains the IBM Business Monitor messaging engine scripts.
      2. Enter db2 connect to MONITOR.
      3. Enter db2 -tf @DB2-zos-SibME.sql.
    The messaging engine scripts automatically grant the database user access to the service integration bus schema objects. For more information about the database privileges required for database user access, refer to the WebSphere® Application Server information center topic linked below.
    Note: The DB2-zos-SibME.sql file contains a CREATE DATABASE statement in the first line of the script. This statement can be deleted if the MONITOR database will be used for the messaging engine schema objects.
Parent topic: Configuring database security in DB2
Related concepts:
Managing monitor model database schemas in a secured database
Related reference:
Database privileges