Creating standalone Db2 subsystem provisioning services
With the Db2 software services template, you can create services that rapidly provision from scratch one or multiple standalone Db2 subsystems, in IBM Cloud Provisioning and Management for z/OS. For information about cloud provisioning, including a description of the roles involved, see Cloud provisioning services.
The sample Db2 software service template is built on top of z/OSMF cloud provisioning service infrastructure. For more information about how to load and use the service in z/OSMF, see Software Services task overview.
The sample Db2 software service template exploits the Network Resource Pool under the z/OSMF Cloud Provisioning Resource Management. For more information, see Resource authorizations for the Configuration Assistant plug-in. For a tutorial that walks you through the steps that are needed, see Getting Started Tutorial – Cloud.
This readme is intended for the service provider, who configures and makes the Db2 subsystem provisioning service available to consumers in your shop.
About the sample Db2 software service template
You can use the sample Db2 software service template, to build your own Db2 software service template to provision multiple standalone Db2 12 for z/OS subsystem instances in a “typical Db2 configuration” with the following attributes:
The subsystem name (
ssid
) is based on two characters that you specify, and a two-digit numeric value that indicates the unique instance. The examples throughout this readme assume that you specifyDY
and that you specify five instances, so that Db2 subsystems are provisioned with the following names forssid
: DY00, DY01, DY02, DY03, and DY04.Other names within provisioned Db2 subsystems are based on a standard naming convention.
Accepts only TCP/IP connections.
Subsystem parameter (zPARMS) settings, as recommended by the latest best practices.
Three dual sets of active logs.
Archive logs and images copies to DASD only.
The following work files:
For sort work, one 4K and one 32K work file, with PRIQTY 20MB and SEGSIZE 16
For declared global temporary tables (DGTT), one 4K and one 32K workfile, with PRIQTY 20MB and SEGSIZE 16
The following default buffer pools for user data, with 5000 buffers for each:
BP1 for table spaces with 4 KB pages
BP8K1 for table spaces with 8 KB pages
BP16K1 for table spaces with 16 KB pages
BP32K1 for tables spaces with 32 KB pages
BP32K2 for LOB data
BP16K2 for XML data
BP2 for indexes
All Db2-supplied stored procedures installed and verified.
Optionally, the following features enabled and verified:
Db2 REST services
ODBC connectivity
JDBC type-2 and type-4 connections
Later, you can also use the sample Db2 software service template to deprovision the provisioned Db2 subsystems.
Setting up the sample Db2 software service template
The files of the service are stored in a directory in z/OS UNIX System Services, and the directory and files must be accessible to z/OSMF. All required files are compressed into the Db2ProvisionSystemNonDS.pax
file.
Download the
Db2ProvisionSystemNonDS.pax
file.Use FTP in binary mode to upload the
Db2ProvisionSystemNonDS.pax
file to the directory where you want to store the service in z/OS UNIX System Services. The maximum length for the directory name is 40 characters.Extract the file into the directory of your choice, for example:
pax -rvf Db2ProvisionSystemNonDS.pax
Inside the directory that you specified, the extracted directory
<service-base-dir>
has the following structure:File Description dsntiwin.xml
,dsnopent.xml
Workflows to provision a Db2 standalone subsystem and enable optional features (Db2 REST services, ODBC, JDBC) actions.xml
A workflow for actions of the service dsndeprv.xml
A workflow to deprovision a Db2 standalone subsystem dsnstart.xml
A workflow for starting the Db2 subsystem dsnstop.xml
A workflow for stopping the Db2 subsystem dsndddf.xml
A workflow for displaying DDF details for the Db2 subsystem dsndgrpd.xml
A workflow for issuing the -DISPLAY GROUP DETAIL command dsnoptft.xml
,dsnopent.xml
Workflows for enabling optional features (Db2 REST services, ODBC, JDBC) dsnti*
Several JCL templates used by the dsntiwin.xml
,dsnopent.xml
,dsnstart.xml
,dsnstop.xml
, anddsndeprv.xml
workflowsdsnte*
Several JCL templates used by the dsntiwin.xml
anddsnopent.xml
workflowsdsntivin
The input property file used by the workflows In addition, copy
db2provision.jar
in binary into your installation's DB2BASE/classes directory. This jar file is installed by default in the directory specified by the DDDEF created for SDSNACLS.Update the files in the template for changes to subsystem parameters in the following APARs. For instructions, see the following readme files:
Preparing the environment for the Db2 software service template
Before building your own template based on the sample, verify with the following adminstrators that their prerequisite tasks are complete:
Cloud provisioning administrator tasks
Enable Cloud Provisioning Software Services in the z/OSMF server.
Enable a network resource pool (NRP) in the z/OSMF server, with a port allocation range enough for the number of instances provisioned. Each Db2 subsystem requires two ports, a port for DRDA and REST services and a RESYNC port.
System programmer tasks
Provide the SMP/E Db2 product target libraries, with the the following Db2 12 APARs applied: PI85657, PI97635, PI99403, PH02971, PH05259, and PH06733; and if Db2 REST services will be enabled on the provisioned Db2 subsystems, APARs PI70652 and PI96649.
Certify that the SMP/E Db2 product target libraries for SDSNEXIT, SDSNLINK, SDSNLOAD, SDSNLOD2 and IRLM RESLIB are APF-authorized Note: SDSNLOD2 is a PDSE data set, which contains JDBC and SQLJ DLLs. Although DB2 does not require that SDSNLOD2 be APF-authorized, be aware that if this data set is in a STEPLIB data set concatenation of an address space that does need APF authorization, SDSNLOD2 must also be APF-authorized. The provisioning template concatenates SDSNLOD2 when verifying JDBC local connection (Type-2) in Optional Features.
Provide data set names, including for host languages (see
Section 7: Host language data sets
, in thedsntivin
file.)Provide directories for the following installed FMIDs:
JDBCC12 for Db2 JDBC/SQLJ. All variables must be set in
Section 6: Db2 Java properties
, in thedstnivin
file.JDBCC17 for Db2 ODBC. The following variables must be set in
Section 7: Host language data sets
, in thedstnivin
file: CCOMP, CPPAUTCL, LELKED, LEPLMSGL, and LERUN.HDDA211 for z/OS Application Connectivity.
Verify installation, and provide directories where indicated, for the following installed FMIDs:
JDBCC12 for Db2 JDBC/SQLJ. All variables must be set in
Section 6: Db2 Java properties
, in thedstnivin
file.JDBCC17 for Db2 ODBC. The following variables must be set in
Section 7: Host language data sets
, in thedstnivin
file: CCOMP, CPPAUTCL, LELKED, LEPLMSGL, and LERUN.HDDA211 for z/OS Application Connectivity.
HDBCC1K for Db2 Utilities Suite for z/OS.
Network administrator tasks
Provide a range of TCP/IP ports to be used under the Network Resource Pool (NRP). The ports in this range cannot be part of the TCP/IP Profile.
Security administrator tasks
Provide the Db2 authorization IDs in the following table for
Section 4: Db2 authorization IDs
in thedsntivin
file:
Field or ID | Input variable | Remarks |
---|---|---|
Executor ID for workflow steps | AGEXECID |
This ID requires authority to generate RACF PassTickets and UPDATE access to the MVSADMIN.WLM.POLICY facility class, if the RACF facility class is active. |
CONSOLE NAME | CONSNAME |
This ID must have z/OS console operator authority, to issue Db2 START/STOP commands. |
ROUTINES CREATOR | AUTHID |
The CURRENT SQLID when creating, configuring, and validating Db2-supplied stored procedures. This ID requires the following authorities:- READ access to the MVSADMIN.WLM.POLICY facility class, if the RACF facility class is active- READ access to the MVS.MCSOPER.DSNTRVFY opercmds class, if the RACF opercmds class is active. |
SEC DEF CREATOR | SECDEFID |
The CURRENT SQLID when creating, configuring, and validating Db2-supplied stored procedures, that are created with the SECURITY DEFINER option. |
INSTALL SQL ID | INSSQLID |
|
INSTALL GRANTEE(S) | INSGRLST |
|
INSTALL PKG OWNER | INSPKOWN |
|
IVP SQL ID | IVPSQLID |
|
IVP PACKAGE OWNER | IVPPKOWN |
|
IVP GRANTEE(S) | IVPGRLST |
|
SYSTEM ADMIN 2 | PROTADM2 |
|
SYSTEM ADMIN 1 | PROTADMN |
|
SYSTEM OPERATOR 1 | PROTOPR1 |
|
SYSTEM OPERATOR 2 | PROTOPR2 |
|
SECURITY ADMIN 1 | SECADMN1 |
|
SECURITY ADMIN 2 | SECADMN2 |
|
PACKAGE OWNER | RTM05PKO |
The ID to own the package for the Db2-supplied SYSPROC.DSNAHVPM stored procedure. |
Define RACF STARTED class profiles to all potential provisioned Db2 subsystem instances associating an ID to be used by each Db2 address space.
Define RACF DSNR class profiles to control access to any provisioned Db2 subsystem from another environment, such as CICS, IMS, TSO, RRS, BATCH, DDF and REST services.
Define RACF SERVER class profiles to control access to any provisioned Db2 subsystem because they will use stored procedures in a WLM-established address space.
Storage adminstrator tasks
Define SMS constructs, such as SMS classes and storage groups, for Db2 provisioning. The SMS storage groups can be per instance or shared by all potential provisioned Db2 instances.The storage administrator can decide if image copy data sets and archive log data sets are to share the SMS storage groups with other Db2 data sets.
Together with the security administrator, provide access authorization to all prefixes in the following table to the Db2 IDs, including the ID that executes the steps of the Db2 provisioning workflow.
Define ACS routines to be used to determine the SMS classes and storage groups for data sets allocation during a Db2 subsystem provisioning.
Define USERCATs and ALIASes, associating them to their specific SMS storage group. Important: The provisioning process determines the
ssid
value. You must do the definition work for all potential instances. If you are allowing 5 instances, then you must have 5 sets of definitions below corresponding to the 5ssid(s)
that can be generated. For example: DY00SYS, DY01SYS, an so on.
prefix | to be used for |
---|---|
a) ssidSYS |
Db2 catalog, directory, and IVP data sets |
b) ssidLOG |
Db2 BSDS, active logs, and archive logs data sets |
c) ssidUSR |
Db2 User data |
d) ssidCP1 |
Db2 Image Copy data sets |
e) HLQ |
Aliases for the SMP/E libraries and Db2 non-SMP/E data sets.(1) |
(1) The HLQ
here will be concatenaded with the instantiated ssid
and used as the prefix in all aliases and non SMP/E Db2 data sets.
Naming conventions for the sample Db2 software service template
The template uses the following naming conventions The naming conventions are very important for coordination of the IBM Cloud Provisioning and Management register between provision and deprovision processes.
Named item | Name format and description |
---|---|
Db2 subsystem identifier – (ssid) | ssid - two characters provided when building the template plus a two-character sequential number. Throughout this information, ssid refers to this value. The template enforces that ssid is 4 characters. For example, if you specify DY , ssid is DY00. Recommendation: Start with “D” and another character to identify the set of Db2 subsystems. Do not use the letter “I” as the first character. |
IRLM subsystem identifier | Isid - The template builds the name by replacing the first character of the provisioned Db2 subsystem by the letter “I.” For example: DY00 and IY00` |
Db2 SMP/E TLIB data set | HLQ.ssid.SDSN* |
IRLM SMP/E TLIB data set | HLQ.ssid.SDXRRESL |
Db2, IRLM, and WLM address space startup procedures | ssidMSTR , ssidDBM1 , ssidDIST , ssidIRLM , and ssidWLMx |
Db2 command prefix | -ssid |
Db2 location | ssid |
Db2 IPNAME | ssid |
Db2 ZPARM | ssidZPRM |
Db2 BSDS | ssidLOG.ssid.BSDSnn |
Db2 active Logs | ssidLOG.ssid.LOGCOPYn.DSmm |
Db2 archive Logs | ssidLOG.ssid.ARCLGn |
Db2 catalog and directory | ssidSYS.* |
Db2 image copy template | ssidCP1.&DB..&SN..&IC..D&JU..T&TI. |
Db2 flash copy template | ssidCP1.&DB..&SN..N&DSNUM..&UQ. |
Db2 non-VSAM data sets | HLQ.ssid.* |
Compression Dictionary Data Set (CDDS) prefix | ssidSYS |
Db2 WLM application environments for supplied stored procedures – (*) | ssidWLM_GENERAL ssidWLM_PGM_CONTROL ssidWLM_UTILS ssidWLM_NUMTCB1 ssidWLM_XML ssidWLM_JAVA ssidWLM_REXX ssidWLM_DEBUGGER ssidWLM_DSNACICS ssidWLM_MQSERIES ssidWLM_WEBSERVICES |
Java runtime options (JAVAENVV, JVMPROPS) | ${DB2BASE}/classes/ssidenvfile.txt and ${DB2BASE}/classes/ssidjvmsp |
Db2 program preparation and utilities invocation JCL procedures | HLQ.ssid.PRIVATE.PROCLIB - The template allocates a “private.proclib” data set, to add the Db2 program preparation and utilities invocation JCL procs per each provisioned Db2 subsystem |
Specifying input properties
The dsntivin
input variable file defines and describes more than 1200 input properties that define the Db2 subsystem. At provisioning time, values are set for about 200 of these variables based on the Db2 subsystem instance name being provisioned. The remaining variables are defined with default values from the sample template, or the values entered in the install CLIST panel. Review these values carefully before you publish the template.
If you are using the sample artifacts before building your own template, you must edit the dsntivin
input variable file, and update it according to your installation as follows:
In
Section 1: Variables to support provisioning instantiation
, you do not need to change anything, unless you want to use a COMMAND PREFIX (AGSSIDPX) to use other character than–
(hyphen)In
Section 2: Db2 function level
, no changes are required. The sample template is built on top of Db2 12 function level 502.You must update the values in each of the following sections for your environment in:
Section 3: Db2 install data sets prefix/HLQ
Section 4: Db2 authorization IDs
Section 5: Db2 product SMP/E target libraries
Section 6: Db2 Java properties
Section 7: Host language data sets
Section 8: Other data sets
In
Section 9: Variables whose values will be generated at provisioning time
, do not change anything. The values of the variables in this section are built at provisioning time according to the subsystem instance name (ssid
) being provisioned and the naming convention rules for provisioning.In
Section 10: Variables with default values for provisioning a typical Db2 configuration
, you do not need to change any of these variables if you want the recommended configuration. The following table lists variables that use different default values than are used by the Db2 installation CLIST.
Variable name (parameter name if different) | Db2 CLIST default | Template default |
---|---|---|
ABIND |
YES |
COEXIST |
ACCUMACC |
10 |
NO |
ADMTPROC |
ssidADMT |
blank |
ARCHDEVT (UNIT ) |
TAPE |
SYSDA |
ARCHDEV2 (UNIT2 ) |
blank (no value) | SYSDA |
ARCHTS (TSTAMP ) |
NO |
YES |
ASCSSID |
blank (no value) | 819 |
BP1 |
0 |
5000 |
BP2 |
0 |
5000 |
BP8K0 |
2000 |
5000 |
BP8K1 |
0 |
5000 |
BP16K0 |
500 |
5000 |
BP16K1 |
0 |
5000 |
BP16K2 |
0 |
5000 |
BP32K |
250 |
5000 |
BP32K1 |
0 |
5000 |
BP32K2 |
0 |
5000 |
BSACP (ALTERNATE_CP ) |
blank | NO |
CHKTYPE |
MINUTES |
SINGLE |
CMPSPT01 (COMPRES_SPT01 ) |
NO |
YES |
CQAC (QUERY_ACCELERATION ) |
1 |
NONE |
DDFSTART (DDF ) |
NO |
AUTO |
DEFCCSID |
blank (no value) | 37 |
EDMDBDC |
23400 |
40960 |
EDMSKP (EDM_SKELETON_POOL ) |
51200 |
81920 |
EDMSTMTC |
113386 |
122880 |
IDXBPOOL |
BP0 |
BP2 |
LBACKOUT |
AUTO |
LIGHTAUTO |
MNSU (MATERIALIZE_NODET_SQLTUDF ) |
YES |
NO |
MON |
NO |
YES |
NUMCONBT (IDBACK ) |
50 |
200 |
NUMCONTS (IDFORE ) |
50 |
200 |
OPSMFSTA (SMFSTAT ) |
YES |
* |
OPNDS (DSMAX) |
calculated value |
20000 |
OPTHINTS |
NO |
YES |
OPTRCSIZ (TRACTBL ) |
16 |
25 |
(OTC_LICENSE) |
blank (no value) | NO |
PARAMDEG |
0 |
16 |
PALK (PREVENT_ALTERTB_LIMITKEY ) |
NO |
YES |
PFUP (PCTFREE_UPD ) |
0 |
AUTO |
PCLOSEN |
10 |
15 |
SMFCOMP |
OFF |
ON |
SYNCVAL |
NO |
0 |
TBSBPOOL |
BP0 |
BP1 |
TBSBP8K |
BP8K0 |
BP8K1 |
TBSBP16K |
BP16K0 |
BP16K1 |
TBSBP32K |
BP32K0 |
BP32K1 |
TBSBPLOB |
BP0 |
BP32K2 |
TBSBPXML |
BP16K0 |
BP16K2 |
UTOC (UTILITY_OBJECT_CONVERSION ) |
NONE |
EXTENDED |
WFDBSEP |
NO |
YES |
After your input properties file is updated with your installation values, you can create your own template under the z/OSMF Cloud Provisioning Software Services.
Preparing and publishing the Db2 software service template
In z/OSMF Cloud Provisioning Software Services, add a standard template. For general instructions for this process, see Prepare and publish a template and Add a template and resource pool.
a. When you create the template, specify the following file names, where
<service-base-dir>
is the directory where you unpaxed theDb2ProvisionSystemNonDS.pax
file:For the workflow file, specify:
<service-base-dir>/dsntiwin.xml
For the actions file, specify:
<service-base-dir>/actions.xml
For the workflow variable input file, specify:
<service-base-dir>/dsntivin
b. Associate the template with a tenant. When you associate the tenant, specify two leading characters for the subsystem name (
ssid
), and the number of instances to provision. For example, if you specifyDY
and you specify five instances, Db2 subsystems are provisioned with the following names forssid
: DY00, DY01, DY02, DY03, and DY04.c. Use the network configuration assistant to specify the port ranges to use for the provisioned Db2 subsystems. Two ports must be provided for each instance being provisioned, a DRDA and REST services port, and a RESYNC port.
d. Test the provisioning template and verify the provisioned Db2 subsystems.
e. Publish the template to make it available to consumers.
Steps in the provisioning workflow (dsntiwin.xml
)
When you execute the provisioning workflow, you are prompted to specify whether you want to execute the optional features.
To provision a standalone Db2 subsystem, the sample template completes the following steps:
Instantiates the Db2 subsystem ID (ssid) being provisioned
Sets the variables (section 9 of DSNTIVIN) according to the name convention rules
Acquires Db2 ports from the NRP
Defines aliases for the Db2 SMP/E target libraries for the instantiated Db2 subsystem
Allocates private proclib for instantiated Db2 subsystem
Assigns IRLM SSID based on the instantiated Db2 subsystem name
Dynamically defines Db2 and IRLM subsystems to z/OS
Executes all mandatory steps to install and verify a standalone Db2 subsystem, including: Java definitions, all Db2-supplied stored procedures, SQL Install Verification, Db2 storage groups for user data (
ssidUSG
), and optionally DDF REST services, ODBC, and JDBC connections (Type-2 and Type-4)
Actions for the provisioned Db2 subsystems
The following actions are available from z/OSMF Cloud Provisioning Software Services for the provisioned Db2 subsystem:
Start the Db2 subsystem
Stop the Db2 subsystem
Display DDF information
Display group information
Enable the optional features (ODBC, JDBC, and REST services)
Deprovision the Db2 subsystem
Steps in the deprovision workflow (dsndeprv.xml
)
The deprovision workflow removes all definitions and data sets related to the deprovisioned Db2 subsystem. To deprovision a Db2 subsystem, the sample template completes the following high-level actions:
Issues a STOP DB2 command; this step will not fail the workflow execution if Db2 is already stopped
Releases DRDA/REST services TCP/IP port
Releases RESYNC TCP/IP port
Deletes IVP and non-VSAM data sets
Deletes JAVAENV data set and the Java environment files
Deletes Image Copy data sets
Deletes Db2 catalog, directory, BSDS, active & archive log data sets, Db2 user data sets
Deletes Db2 start up and WLMENV procedures
Deletes the Db2 ZPARM module
Deletes WLM application environments
Deletes aliases defined against Db2 and IRLM SMP/E target libraries
Deletes Db2 and IRLM subsystem definitions from z/OSMF
Security considerations for the sample Db2 software service template
The “workflow executor” of the provisioning service must have RACF authority to execute the service, and must also have the following authority:
Authority to allocate data sets with the HLQ assigned to that Db2 instance, as well as z/OS UNIX System Services files
Read/write authority for the system PROCLIB and WLM application environment definition
Authority to generate RACF PassTickets to others executing steps where a password would be required
Db2 itself requires specific authorities when executing some of the installation and provisioning steps, and some workflow steps are executed under user IDs other than the workflow executor, by using the runAsUser ID. For details, see the tables in Authorizations for workflows.
Also, the enablement steps for the optional features have special requirements.
Using RACF PassTickets for optional features
The JDBC enablement optional feature requires connection to the provisioned Db2 subsystem to perform the BIND for the JDBC packages as well as to verify a remote connection (JCC-Type-4).
When connecting, a user ID and password must be passed to the connection statement. Instead of sending clear text passwords, the sample template uses generated RACF PassTickets. Users of the application can then use the PassTickets to authenticate within a RACF-secured network. This procedure prevents the need to store password credentials within the z/OSMF environment.
You must certify that the ID used to execute the workflows has the RACF authority to generate PassTickets to others.
To enable the usage of RACF PassTicket by the sample template, take the following actions:
Activate the RACF PassTicket class, by issuing the following commands:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) SETROPTS GENERIC(PTKTDATA)
Define RACF profiles for the application in PTKTDATA, by issuing the following commands:
RDEFINE PTKTDATA <applName> SSIGNON(KEYMASKED(<key>))
APPLDATA('NO REPLAY PROTECTION')
In the preceding example:
<applName>
is the name of the application that requests and uses the PassTickets. Provisioned Db2 subsystems accept TCP/IP connections only, therefore we should use the value of the the IPNAME as <applName>
.
<key>
is a session key with the value of 16 hexadecimal digits (for an 8-byte or 64-bit key). The session key must be identical to the key in the PassTicket definition in each RACF instance. The key for each application must be the same on all subsystems in the configuration.
APPLDATA('NO REPLAY PROTECTION')
is the option that you can use to permit reuse of the same PassTicket multiple times.
The following example shows these commands for provisioning five Db2 subsystems. As described in the Naming Convention section, the name of the subsystem being provisioned (ssid
) is used for the IPNAME value. Because we expect five instances to be provisioned, you can activate them all in one single job, considering that they will be all under the same RACF database.
//STEP01 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEL PTKTDATA (DY00)
RDEL PTKTDATA (DY01)
RDEL PTKTDATA (DY02)
RDEL PTKTDATA (DY03)
RDEL PTKTDATA (DY04)
RDEL PTKTDATA (IRRPTAUTH.DY*.*)
RDEF PTKTDATA DY00 -
SSIGNON(KEYMASKED(E001193519561977)) -
UACC(NONE) APPLDATA('NO REPLAY PROTECTION')
RDEF PTKTDATA DY01 -
SSIGNON(KEYMASKED(E001193519561977)) -
UACC(NONE) APPLDATA('NO REPLAY PROTECTION')
RDEF PTKTDATA DY02 -
SSIGNON(KEYMASKED(E001193519561977)) -
UACC(NONE) APPLDATA('NO REPLAY PROTECTION')
RDEF PTKTDATA DY03 -
SSIGNON(KEYMASKED(E001193519561977)) -
UACC(NONE) APPLDATA('NO REPLAY PROTECTION')
RDEF PTKTDATA DY04 -
SSIGNON(KEYMASKED(E001193519561977)) -
UACC(NONE) APPLDATA('NO REPLAY PROTECTION')
RDEFINE PTKTDATA IRRPTAUTH.DY*.*
PERMIT IRRPTAUTH.DY*.* CLASS(PTKTDATA) ID(WFexecutorID) ACCESS(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH
Authorizations for the sample Db2 software service template workflows
The following tables show the authorizations required for certain steps of the sample template. All other steps run under the authorization ID that executes the workflow. You can specify the authorization ID that executes the workflow in the AGEXECID variable in section 4 of the DSNTIVIN input variable file. If the AGEXECID value is blank, the sign-on ID executes the steps.
Authorizations for the provisioning workflow (dsntiwin.xml
)
Step name | Job name | Run as user | Job description | RACF authorization |
---|---|---|---|---|
s00DEFSS | DSNTIJMD |
SYSADM1/${PROTADMN} | Defines Db2 and IRLM to z/OS by SETSSI | A console that has master authority, or a console operator with sufficient RACF authorization. |
step15 | DSNTIJTC |
SYSADM1/${PROTADMN} | CATMAINT | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. |
step16 | DSNTIJTM |
SYSADM1 /${PROTADMN} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. | |
step17 | DSNTIJSG |
SYSADM1/${PROTADMN} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. | |
step20b | DSNTIJRT |
${AUTHID} | Db2 authorization: DSNTRIN accepts two auth parms (1) AUTHID ... the authorization ID to use to create most objects specified in ROUTINES CREATOR field of DSNTIPG (2) SECDEFID ... the authorization ID to use to create routines that require SECURITY DEFINER, specified in SEC DEF CREATOR field of DSNTIPG. The user ID needs to be able to SET CURRENT SQLID to these secondary IDs | |
step20c | DSNTIJRV |
${AUTHID} | RACF auth: - If CLASS(FACILITY) is active and the profile MVSADMIN.WLM.POLICY exists then the user ID needs READ access to the profile. - If CLASS(OPERCMDS) is active and the profile MVS.MCSOPER.* exists then the user ID needs READ access to the profile. For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. - AUTHID ... used as the CURRENT SQLID when issuing SQL statements and as the owner of the package and plan for program DSNTRVFY. Specified in ROUTINES CREATOR field of DSNTIPG. | |
step22b | DSNTEJ1 |
${IVPSQLID} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. IVPSQLID is specified in the IVP SQL ID field of DSNTIPG. | |
step22c | DSNTEJ1L |
${IVPSQLID} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. IVPSQLID is specified in the IVP SQL ID field of DSNTIPG. | |
step22d | DSNTEJ2A |
${IVPSQLID} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. IVPSQLID is specified in the IVP SQL ID field of DSNTIPG. | |
stepJTU | DSNTIJTU |
${INSSQLID} | Creates and grants usage on STOGROUP for user data TO ${INSGRLST} |
Authorizations for the START DB2 action (dsnstart.xml
)
Step name | Job name | Run as user | Job description | RACF authorization |
---|---|---|---|---|
stepJMD | DSNTIJMD |
SYSADM1/${PROTADMN} | Defines Db2 & IRLM to z/OS by SETSSI | A console that has master authority, or a console operator with sufficient RACF authorization. |
stepJSA | DSNTIJSA |
SYSADM1/${PROTADMN} | RACF authorization: If CLASS(OPERCMDS) is active and the profile MVS.MCSOPER.* exists then the user ID needs READ access to the profile. Db2 Authorization: None. However, the command can be executed only from a z/OS console with the START command capability. |
Authorizations for the STOP DB2 action (dsnstop.xml
)
Step name | Job name | Run as user | Job description | RACF authorization |
---|---|---|---|---|
stepJSO | DSNTIJSO |
SYSADM1/${PROTADMN} | Db2 Authorization: The user ID must use a privilege set of the process that includes one of the following privileges or authorities: STOPALL privilege SYSOPR authority SYSCTRL authority SYSADM authority Db2 commands that are issued from a logged-on z/OS console or TSO SDSF can be checked by Db2 authorization using primary and secondary authorization IDs. A logged-on z/OS user ID must be defined in RACF or a similar security server. |
Authorizations for the deprovisioning workflow (dsndeprv.xml
)
Step name | Job name | Run as user | Job description | RACF authorization |
---|---|---|---|---|
stepJSO | DSNTIJSO |
SYSADM1/${PROTADMN} | Db2 Authorization: The user ID must use a privilege set of the process that includes one of the following privileges or authorities: STOPALL privilege SYSOPR authority SYSCTRL authority SYSADM authority Db2 commands that are issued from a logged-on z/OS console or TSO SDSF can be checked by Db2 authorization using primary and secondary authorization IDs. A logged-on z/OS user ID must be defined in RACF or a similar security server. | |
stepDJMD | DSNTDJMD |
SYSADM1/${PROTADMN} | A console that has master authority, or a console operator with sufficient RACF authorization. |
Authorizations for the optional features enablement action (dsnopent.xml
)
Step name | Job name | Run as user | Job description | RACF authorization |
---|---|---|---|---|
stepJRP | DSNTIJRP |
SYSADM1/${PROTADMN} | Enables Db2 REST services | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. |
stepODBCBIND | DSNTIJCL |
SYSADM1/${PROTADMN} | Bind and grants usage of PKG/PLAN TO ${INSGRLST} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. |
stepODBCVerify | DSNTEJ8 |
SYSADM1/${PROTADMN} | For Db2 authorization, the user ID must have primary or secondary installation SYSADM authority. | |
stepJDBCBIND | Shell-JCL inline | Workflow executor | Uses DB2Binder utility, which binds the Db2 packages that are used at the data server by the IBM Data Server Driver for JDBC and SQLJ into the NULLID collection, and grants EXECUTE authority on the packages to PUBLIC. | 1) The workflow executor ID MUST have RACF privilege to generate PassTickets for others 2) The BIND will be performed under SYSADM1/${JCCSID} ID, using a generated PASSTICKET instead of sending clear text passwords to connect to the Db2 subsystem. See more details in Using RACF PassTickets for optional features |
stepJDBCVerifyT2 | Shell-JCL inline | Workflow executor | Performs local connection (JCC Type-2) to the provisioned Db2 subsystem and perform SQL queries against the Db2 sample database. Records the output into /tmp/db2-ssid-tej91t2 | |
stepJDBCVerifyT4 | Shell-JCL inline | Workflow executor | Performs remote connection (JCC Type-4) to the provisioned Db2 subsystem and perform SQL queries against the Db2 sample database. Records the output into /tmp/db2-ssid-tej91t4 |
The connection and verification is performed under SYSADM1/${PROTADMN} ID, using a generated PASSTICKET instead of sending clear text passwords to connect to the Db2 subsystem. See more details in Using RACF PassTickets for optional features |