Installing the RACF access control module

You can install the RACF access control module so that Db2 starts RACF for authority checking.

Before you begin

Before you install the RACF access control module, you must meet the following prerequisites:

  • You must have MVS system programming skills to complete this procedure.
  • In Step 3, you can optionally customize the RACF access control module to modify several important authorization processing options. Consult your implementation team to find out which customization options are needed, if any.
  • You might want to have Installing or migrating to Db2 13 available as a reference.

Procedure

To install the RACF access control module:

  1. Locate the DSNXRXAC member (containing the RACF access control module) in the prefix.SDSNSAMP library and copy it to a private library.
  2. Optionally, customize your private copy of the RACF access control module by modifying the assembler SET options from their default values. The options you use in this step affect Db2 authorization processing so use the values chosen by your implementation team.
  3. Use the Db2 installation job to assemble and link edit the APF-authorized Db2 exit load library (prefix.). If you use another target library, you might have to change the STEPLIB or JOBLIB concatenations in the Db2 startup procedures.
    1. Modify Step 3 (JEX0003) of DSNTIJEX to point to the library containing your customized version of DSNXRXAC and then run it.
    2. If you have two or more Db2 subsystems and you want to use different assembler SET options for each subsystem (or you want to have separate exit load libraries), repeat the previous step for each Db2 subsystem.

Results

After you complete these steps, the RACF access control module will be initialized the next time the Db2 subsystem is started. The initialization function is successful and the RACF access control module becomes active only if Db2 resource classes are active at the time of the restart. If the RACF access control module is active, Db2 invokes RACF for authority checking.

You can determine whether Db2 performs Db2 authorization checks by reviewing the IRR9nnx messages and any DSNX210I message you receive during Db2 initialization.

If you receive the IRR912I message during initialization, your exit routine is not active and native Db2 authorization checking is used.