Creating a RACF profile with permissions for Db2 Data Gate
Complete the steps presented here to grant the required permissions to the users that run Db2 Data Gate stored procedures.
Before you begin
Make sure that the required z/OS® Communications Server components are installed and operational.
Procedure
-
Add commands to create a RACF®® profile with appropriate
permissions:
- First add commands to define the required classes:
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
- Grant the required permissions. All users that run Db2 Data Gate stored procedures must have READ and UPDATE permissions as shown in the following example. In the example, these permissions are given to the users in group IBMGRP01:
PE IRR.DIGTCERT.LIST CL(FACILITY) ID(IBMGRP01) ACC(READ) PE IRR.DIGTCERT.LISTRING CL(FACILITY) ID(IBMGRP01) ACC(UPDATE)
Important: Later, during the installation, you are asked to specify a privileged user (see Creating Db2 Data Gate users and granting privileges on z/OS). This privileged user is a stored procedure user, and therefore must have the permissions listed here.You might want to give these permissions to all users, which can be achieved by running the following commands:
PE IRR.DIGTCERT.LIST CL(FACILITY) ID(*) ACC(READ) PE IRR.DIGTCERT.LISTRING CL(FACILITY) ID(*) ACC(UPDATE)
In addition, users running Db2 address spaces (Db2 started task users), such as DDF (DIST) require the UPDATE permission:
PE IRR.DIGTCERT.LISTRING CL(FACILITY) ID(DB2USER) ACC(UPDATE)
Note: Granting the permission to update the IRR.DIGTCERT.LISTRING FACILITY class is not a security risk. It is true that users with this permission can read anyone’s key ring. However, that only allows these users to extract and use the certificates of the key ring. It does not allow them to use the private keys associated with the certificates. Therefore, users with an update permission for IRR.DIGTCERT.LISTRING FACILITY cannot pretend to be using somebody else´s user ID.
- First add commands to define the required classes:
- The key ring referenced by the TTLSKeyRingParms keyword in the AT-TLS configuration must
contain a certificate for the Certificate Authority. If a suitable key ring does not yet exist,
create one. Include, for example, the following code in the JCL job, which creates a key ring for a
Db2 started task user named DB2USER. If necessary, replace
DB2USER with the ID of the actual user.
//* add a ring RACDCERT ID(DB2USER) ADDRING(DB2AKEYRING)
For more information, see IBM® Redpaper DB2®® for z/OS: Configuring TLS/SSL for Secure Client/Server Communications.
- Submit the JCL job.