Start of change

Updating the APF authorization table

The ADB2ATH and ADB2UTIL programs and TSO commands must be APF authorized to use them within Db2 Admin Tool. If the SADBLINK library, which contains ADB2ATH and ADB2UTIL, is not APF authorized, you must copy these modules to an APF-authorized library.

About this task

The ADB2ATH program is used when the Db2 security exit type (:secexit.) is specified as AUTH. The ADB2UTIL program is used when the ADBTEP2 program runs Db2 utilities.

Procedure

To update the APF authorization table:

  1. Copy ADB2ATH and ADB2UTIL from high-level.SADBLINK to an APF-authorized library.
    If the APF-authorized library is not in the system link list, it must be registered as the Admin Tool APF Library on the Product Parameters (CCQPPRD) panel.
    Using two different versions of Db2 Admin Tool on the same Db2 subsystem: If you are installing and running two or more different releases of Db2 Admin Tool on the same Db2 subsystem, ensure that you use the ADB2ATH and ADB2UTIL authorized programs from the product tape for the higher release when you copy them to the APF-authorized library in your system link list.

    If you plan to use Db2 High Performance Unload (HPU) in a work statement list (WSL), also authorize the HPU main program, INZUTILB by ensuring it is in an APF-authorized library.

  2. Modify SYS1.PARMLIB(IKJTSOxx) and add programs ADB2ATH and ADB2UTIL to both the AUTHPGM and AUTHTSF sections, as shown in the following figure:
    Figure 1. Adding programs ADB2ATH and ADB2UTIL to IKJTSOxx
    AUTHPGM NAMES(               /* AUTHORIZED PROGRAMS */      +
       ........                                                 +
       ADB2ATH                   /* CALLS DSN3@ATH      */      +
       ADB2UTIL                  /* CALLS DSNUTILB      */      +
       ........)                 /*                     */      +
    AUTHTSF NAMES(   /* PROGRAMS TO BE AUTHORIZED       */      +
                     /* WHEN CALLED THROUGH THE TSO     */      +
                     /* SERVICE FACILITY.               */      +
       ........                  /*                     */      +
       ADB2ATH                   /* CALLS DSN3@ATH      */      +
       ADB2UTIL                  /* CALLS DSNUTILB      */      +
       ........)                 /*                     */

    This action ensures that the TSO service facility invokes ADB2ATH and ADB2UTIL as authorized programs.

    If plan to use HPU in a WSL, also add INZUTILB to the AUTHPGM and AUTHTSF sections.

  3. Activate the changes at the next IPL or immediately by issuing the following TSO/E command:
    PARMLIB UPDATE(xx)
End of change