DSNZPARM Authorization, RLF and DDF Parameters

This panel shows information about the parameters that affect Db2 access and security. It shows the name of the DSNZPARM module that is specified for Db2 startup and the date on which the module is assembled. It also shows a list of the default values of the DB2® application.

If a field is not available for the current Db2 release, the string N/A is displayed. For other conditions, for example, if specific Db2 traces are not started or control block data is not available, the string N/P is displayed.

Figure 1. DSNZPARM Authorization, RLF and DDF Parameters (ZPCTL) panel
________________ ZPCTL    VTM     O2       V550.#P DC11 S MM/DD/YY HH:MM:SS 2 
>       Help PF1      Back PF3      Left PF10      Right PF11                  
> R.H.E                                                                        
>       DSNZPARM INFORMATION:  Enter a selection letter on the top line.       
                                                                               
>  A-THREAD    B-TRACE     C-LOGGING   D-ARCHIVING     *-AUTH/RLF/DDF   F-IRLM 
>  G-STORAGE   H-DATASET   I-DDCS      J-DATA SHARING  K-STORED PROC    L-UTIL 
>  M-APPL      N-DATA      O-PERF      P-BUFFERPOOL    Q-OTHERS                
===============================================================================
>             DSNZPARM AUTHORIZATION, RLF, AND DDF PARAMETERS                  
 ZCTL                                                                          
+ Collection Interval:  REALTIME                SNAPTIME: MM/DD/YY HH:MM:SS.MS 
+                                                                              
+ DSNZPARM Module                               DSNZPARM                       
+ Assembly Date                                 MM/DD/YY                       
+ Initial Module                                DSNZPARM                       
+ Assembly Date                                 MM/DD/YY                       
+ Previous Module                               DSNZPARM                       
+ Assembly Date                                 MM/DD/YY                       
+                                                                              
+ DSNTIPO-Operator Functions                                                   
+------------------------------------                                          
+ WTO Route Codes (ROUTCDE)                            1                       
+ Recall Data Base (RECALL)                          YES                       
+ Recall Delay (RECALLD)                             120                                          
+ Auto Bind (ABIND)                                  YES                       
+ Explain Processing (ABEXP)                         YES                       
+ Dprop Support (EDPROP)                              NO                       
+ Change Data Capture (CHGDC)                         NO        
+ Site Type (SITETYP)                          LOCALSITE        
+ Tracker Site (TRKRSITE)                             NO        
+ Read Copy2 Archive (ARC2FRST)                       NO               
+ (PROFILE_AUTOSTART)                                 NO
+ DSNTIPP-Protection 1                                                         
+------------------------------------                                          
+ Archive Log RACF (PROTECT)                          NO                       
+ Use Protection (AUTH)                              YES                       
+ Plan Auth Cache (AUTHCACH)                        3072          
+ Package Auth Cache (CACHEPAC)                  5242880          
+ Routine Auth Cache (CACHERAC)                  5242880          
+ Auth Exit Limit (AEXITLIM)                          10          
+ Auth Exit Check (AUTHEXIT_CHECK)               PRIMARY          
+ (AUTHEXIT_CACHEREFRESH)                           NONE          
+ (MFA_AUTHCACHE_UNUSED_TIME)                          0
+
+ DSNTIPP1-Protection 2                                           
+------------------------------------                             
+ System Admin 1 (SYSADM)                           HELM          
+ System Admin 2 (SYSADM2)                        SYSADM          
+ System Operator 1 (SYSOPR1)                       HELM          
+ System Operator 2 (SYSOPR2)                       EMIL          
+ Security Admin 1 (SECADM1)                      SECADM          
+ Sec Admin1 Type (SECADM1_TYPE)                  AUTHID          
+ Security Admin 2 (SECADM2)                      SECADM          
+ Sec Admin2 Type (SECADM2_TYPE)                  AUTHID          
+ (SEPARATE_SECURITY)                                  N          
+ Unknown Authid (DEFLTID)                       IBMUSER          
+ Resource Authid (RLFAUTH)                       SYSIBM          
+ Bind New Package (BINDNV)                      BINDADD          
+ DBADM Create Auth (DBACRVW)                         NO          
+ (REVOKE_DEPENDENT_PRIVILEGES)                        S          
+
+ DSNTIPR-DDF 1                                                   
+------------------------------------                             
+ DDF Startup Option (DDF)                          AUTO                
+ Resync Interval (RESYNC)                             2          
+ DDF Threads (CMTSTAT)                         INACTIVE          
+ Max Type1 Inactive Thrds (MAXTYPE1)                  0          
+ Idle Thread Timeout (IDTHTOIN)                     120          
+ Extended Security (EXTSEC)                         YES          
+

+ DSNTIP5-DDF 2                                                   
+------------------------------------                             
+ TCP/IP Already Verified (TCPALVER)                  NO          
+ Extended Option for TCPALVER                        NO          
+ Extra Blocks Req (EXTRAREQ)                        100          
+ Extra Blocks Srv (EXTRASRV)                        100          
+ Hop Site Authorization (HOPAUTH) V9                N/A          
+ TCP/IP Keepalive (TCPKPALV)                        120                        
+ Pool Thread Timeout (POOLINAC)                     120                        
+ Conn Queue Max Depth (MAXCONQN)                      0                        
+ Conn Queue Max Wait (MAXCONQW)                       0                        
===============================================================================

+ DSNTIPO4-Resource Limit Facility                                                                
+------------------------------------                                          
+ RLF Auto Start (RLF)                                NO
+ RLF Scope (RLFENABLE)                          DYNAMIC   
+ RLST Name Suffix (RLFTBL)                           01
+ RLST Access Err DSQL (RLFERR)                  NOLIMIT						
+ RLST Access Err SSQL (RLFERRSTC)               NOLIMIT  
+ RLST Access Err RemDSQL (RLFERRD)              NOLIMIT 
+ RLST Access Err RemSSQL(RLFERRDSTC)            NOLIMIT

Fields

The DSNZ command displays the following lines to reflect the usage of the Db2 SET SYSPARM command. To each of these lines, the corresponding date on which this particular module is assembled is displayed.
DSNZPARM Module
The name of the DSNZPARM module that is specified for Db2 startup.
Initial Module
The name of the initial DSNZPARM load module.
Previous Module
The name of the previous DSNZPARM load module.
Assembly Date
The date on which this module was assembled.
DSNTIPO-Operator Functions
WTO Route Codes (ROUTCDE) (QWP1SMRC)
This parameter determines the z/OS® console routing codes that are assigned to messages that are not solicited from a specific console.
Valid values:
2 bytes are used as bits 1-16
Recall Data Base (RECALL) (QWP4HRCL)
This parameter determines whether DFSMShsm automatic recall is performed for Db2 databases.
Recall Delay (RECALLD) (QWP4HRCD)
This parameter determines the maximum length of time in seconds that a program can be delayed for a DFSMShsm recall.
Auto Bind (ABIND) (QWP4ABN )
This parameter determines whether plans or packages can be rebound automatically.
Valid values:
COEXIST
Automatic rebind is performed in a data sharing coexistence environment if one of the following conditions are met:
  • The plan or package is marked as invalid.
  • The plan or package was last bound at the current release level. It is now running on a subsystem at the previous release level.
DISABLE
You must explicitly rebind any invalid plan or package before it can be used.
ENABLE
Automatic rebind is performed on plans or packages.
Explain Processing (ABEXP) (QWP4ABX )
This parameter determines whether EXPLAIN is allowed during AUTOBIND.
Dprop Support (EDPROP) (QWP4ENF)
DPROPNR support only.
Change Data Capture (CHGDC) (QWP4CDC )
This parameter determines the enablement of change data capture.
Site Type (SITETYP) (QWP4MSTY)
This parameter determines whether this system runs at the local site.
Tracker Site (TRKRSITE) (QWP4TRKR)
This parameter determines whether this subsystem is a remote tracker site for another Db2 system.
Read Copy2 Archive (ARC2FRST) (QWP2ARC2)
This parameter determines whether the COPY2 archives are read first when the Db2 subsystem is started.
(PROFILE_AUTOSTART) (QWP1PFSY)
Specifies whether start profile command processing is automatically initiated as part of Db2 startup.
  • 0=NO
  • 1=YES
Db2 12 and later.
DSNTIP-Protection 1
Archive Log RACF® (PROTECT) (QWP3RTCT)
This parameter determines the RACF protection.
Use Protection (AUTH) (QWP4AUTH)
This parameter determines whether the Db2 authorization is enabled or disabled.
Valid values:
E=ENABLE(YES)
D=disable(NO)
Default:
E
Plan Auth Cache (AUTHCACH) (QWP4AUCA)
This parameter determines the authorization cache size.
Package Auth Cache (CACHEPAC) (QWP4PAC )
This parameter determines the size of package authorization cache.
Routine Auth Cache (CACHERAC) (QWP4RAC )
This parameter determines the amount of storage that is allocated to the caching of authorization information for all routines on this subsystem.
Default:
32K
Auth Exit Limit (AEXITLIM) (QWP4ACAN)
This parameter determines the abend count for the access control authorization exit.
Auth Exit Check (AUTHEXIT_CHECK) (QWP4RACK)
This parameter determines the authorization exit check.
Valid values:
P=PRIMARY
D=DB2
Db2 11 and later.
(AUTHEXIT_CACHEREFRESH) (QWP4AECR)
Determines the authorization exit cache refresh.
Valid values are:
A
All
N
None
Db2 11 and later.
(MFA_AUTHCACHE_UNUSED_TIME) (QWP4FMAT)
Controls how frequently a client is required to provide a new set of MFA credentials.
Valid values are:
0
(Default) The replay of MFA credentials is not allowed. If the Db2 subsystem is a member of a data sharing group, other members will not be queried for matching cached credentials.
120 to 7200
The time, in seconds, that cached MFA credentials can remain unused before new credentials are required. A cached entry is unused if the client has not attempted a replay of the credentials. Once, the credentials have been replayed, the unused time will be reset. If the Db2 subsystem is a member of a data sharing group, then the other members are queried for matching credentials. The other members must also be running with a non-zero unused time. However, users must provide new, valid MFA credentials when a RACF user profile access is changed that could affect the AUTHID. A non-zero value is valid only when AUTHEXIT_CACHEREFRESH is set to ALL. Also, even though this subsystem parameter can be online updated, if the Db2 subsystem had been initially started with AUTHEXIT_CACHEREFRESH not set to ALL, then Db2 must be stopped and started to run with the new value for this parameter.
DSNTIP1-Protection 2
System Admin 1 (SYSADM) (QWP4SADM)
The system administrator user ID 1.
If QWP4SADM_OFF is not set to 0, this value is truncated. If QWP4SADM is truncated, this is the offset from the beginning of QWP4 TO QWP4SADM_LEN.
If QWP4SADM_OFF is not set to 0, use the following fields:
  • Length of QWP4SADM_VAR
  • System Administrator user ID 1
System Admin 2 (SYSADM2) (QWP4ADM2)
The system administrator user ID 1.
If QWP4ADM2_OFF is not set to 0, this value is truncated. If QWP4ADM2 is truncated, this is the offset from the beginning of QWP4 TO QWP4ADM2_LEN.
If QWP4ADM2_OFF is not set to 0, use the following fields:
  • Length of QWP4ADM2_VAR
  • System Administrator user ID 2
System Operator 1 (SYSOPR1) (QWP4OPR1)
The system operator user ID 1.
If QWP4OPR1_OFF is not set to 0, this value is truncated. If QWP4OPR1 is truncated, this is the offset from the beginning of QWP4 TO QWP4OPR1_LEN.
If QWP4OPR1_OFF is not set to 0, use the following fields:
  • Length of QWP4OPR1_VAR
  • System Operator user ID 1.
System Operator 2 (SYSOPR2) (QWP4OPR2)
The system operator user ID 1.
If QWP4OPR2_OFF is not set to 0, this value is truncated. If QWP4OPR2 is truncated, this is the offset from the beginning of QWP4 TO QWP4OPR2_LEN.
If QWP4OPR2_OFF is not set to 0, use the following fields:
  • Length of QWP4OPR2_VAR
  • System Operator user ID 2.
Security Admin 1 (SECADM1) (QWP4SECA1_E)
The security administrator 1 authorization ID.
If QWP4SECA1_OFF is not set to 0, this value is truncated. If the authorization is held by a role, this value is blank.
Sec Admin1 Type (SECADM1_TYPE) (QWP4SECA1_TYPE)
The security administrator type 1 authorization ID.
' '
Authorization ID
L
Role
Security Admin 2 (SECADM2) (QWP4SECA2_E)
The security administrator type 2 authorization ID.
If QWP4SECA1_OFF is not set to 0, this value is truncated. If the authorization is held by a role, this value is blank.
Sec Admin2 Type (SECADM2_TYPE) (QWP4SECA2_TYPE)
The security administrator type 2 authorization ID.
' '
Authorization ID
L
Role
(SEPARATE_SECURITY) (QWP4SEPS)
Specifies whether to separate Db2 security administrator duties from the Db2 system administrator duties.
Revoke:
Y
SYSADM cannot manage security objects such as roles and trusted contexts. SYSCTRL cannot manage roles.
N
SECADM or ACCESSCTRL AUTHORITY is required for security administration.
Unknown Authid (DEFLTID) (QWP4DFID)
The system administrator default user ID.
If QWP4DFID_OFF is not set to 0, this value is truncated. If QWP4DFID is truncated, this is the offset from the beginning of QWP4 TO QWP4DFID_LEN.
If QWP4DFID_OFF is not set to 0, use the following fields:
  • LENGTH OF QWP4DFID_VAR
  • SYSTEM DEFAULT USER ID.
Resource Authid (RLFAUTH) (QWP1RLFA)
The resource limit specification table authorization ID.
If QWP1RLFA_OFF is not set to 0, this value is truncated. If QWP1RLFA is truncated, this value is the offset from the beginning of QWP1 TO QWP1RLFA_LEN.
Use the following fields if QWP1RLFA_OFF is not set to 0:
  • Length of QWP1RLFA_VAR
  • Resource limit specification table authorization ID
Bind New Package (BINDNV) (QWP4BNVA)
When adding a new package or a new version of an existing package to a collection, one of the following authorities is required:
  • BINDADD AUTHORITY
  • BIND AUTHORITY
DBADM Create Auth (DBACRVW) (QWP4CRVW)
Specifies whether an authorization ID with DBADM authority can create a view or an alias for another authorization ID. Valid values are YES or NO. The default value is NO.
(REVOKE_DEPENDENT_PRIVILEGES) (QWP4RVDP)
Specifies whether to include dependent privileges on REVOKE:
Y
Dependent privileges are included.
N
Dependent privileges are not included.
S
The REVOKE statement specification is used.
DSNTIPR-DDF 1
DDF Startup Option (DDF) QWP9STRT)
The facility start parameter.
Resync Interval (RESYNC) (QWP9RYC )
The minutes between resynchronization periods.
DDF Threads (CMTSTAT) (QWP9CMST)
The status of the DDF thread.
Max Type1 Inactive Thrds (MAXTYPE1) (QWP9MAX1)
Specifies the maximum type 1 inactive threads that are allowed by Db2. 0 indicates that type 1 inactive connections are not allowed.
Idle Thread Timeout (IDTHTOIN) (QWP9TTO )
The approximate time in seconds that an active server thread can remain dormant before it is cancelled.
Extended Security (EXTSEC) (QWP1SCER)
This parameter determines the contents of the error message that is returned to a network client when a DDF connection request fails due to a security error. It also determines whether you can update an RACF password by using the DRDA change password function.
Y
Detailed error information is returned. You can update the password by using the DRDA function.
N
A generic error message is returned. You cannot update the RACF password by using the DRDA function.
DSNTIP5-DDF2
TCP/IP Already Verified (TCPALVER) (QWP9TCPA)
Specifies whether already verified connections are accepted from TCP/IP clients.
Valid values: YES or NO. If connections are not accepted, additional criteria might apply.
Extended Option for TCPALVER (QWP9TCPVE)
If YES is specified, user ID and password are required. These values must be AES-encrypted including RACF passtickets, or a KERBEROS ticket is required, or the connection is protected by one of the following options:
  • AT-TLS policy (ensured via a Db2 SECPORT)
  • IPSEC tunnel
Extra Blocks Req (EXTRAREQ) (QWP1EXBR)
The maximum number of extra query blocks that Db2 can request from a remote DRDA server.
Extra Blocks Srv (EXTRASRV) (QWP1EXBS)
The maximum number of extra query blocks that Db2 can return to a remote DRDA requester.
Hop Site Authorization (HOPAUTH) V9 (QWP4HOP )
For a non-Db2 requester that executes a package at a Db2 server that sends an SQL statement to another Db2 server, you can specify one of the following options:
ON
The authorization ID of the package owner is used for static SQL, and the ID of the process runner is used for dynamic SQL.
OFF
The authorization ID of the process runner is used for all statements.
TCP/IP Keepalive (TCPKPALV) (QWP9TCKA)
Determines whether to override the TCP/IP stack Keepalive value. The default value is 120.
You can specify the following values:
ENABLE
The TCP/IP value is not overwritten.
DISABLE
Keep alive probing is disabled.
1-65534 (SECONDS)
The TCP/IP stack Keepalive value should be replaced with the value that is displayed in this field.
Pool Thread Timeout (POOLINAC) (QWP9INAC)
Specifies the time in seconds that a DBAT can remain idle in the pool before it is terminated. If this parameter is set to 0, a DBAT is terminated instead of going into the pool if there is a sufficient number of threads in the pool to process the number of type 2 inactive threads that is currently existing.
Valid values: 0-9999.
Default: 120.
Conn Queue Max Depth (MAXCONQN) (QWP9MCONQN)
The maximum depth for the connection request queue of connections that are waiting for a DBAT to process a request. The minimum value is 1.
OFF
The queue is limited only by CONDBAT.
ON
The depth of the queue corresponds to the maximum value that is specified for MAXDBAT.
Conn Queue Max Wait (MAXCONQW) (QWP9MCONQW)
The maximum time in seconds for a connection to wait for a DBAT to process its request.
OFF
The connection waits indefinitely.
ON
The time value that is specified for IDTHTOIN is used. However, if IDTHTOIN is set to 0, w warning MNOTE is issued. It states that MAXONT is set to OFF because IDTHTOIN is set to 0. The minimum numeric value is 5. The maximum value is 3600 seconds.
This is the default value.
DSNTIP04 - Resource Limit Facility
RLF Auto Start (RLF) (QWP1RLF)
This parameter determines whether the resource limit facility (governor) starts automatically each time Db2 is started.
RLF Scope (RFLENABLE)
The level of RLF governing:
DYNAMIC
Dynamic SQL only
STATIC
Static SQL only
ALL
Both, dynamic and static SQL
Db2 12 and later.
RLST Name Suffix (RLFTBL) (QWP1RLFT)
This parameter determines the suffix that is used for the default resource limit specification table (RLST). The default RLST is used when the resource limit facility (governor) is started automatically or when the governor is started without a specified suffix.
RLST Access Error (RLFERR) (QWP1RLFR)
This parameter determines what Db2 is doing if the governor encounters a condition that prevents it from accessing the resource limit specification table. This setting applies also if Db2 cannot find an applicable row in the resource limit specification table. An applicable row applies to the authorization ID, plan or package name, and the name of the logical unit of work of the query user.
RLST Access Err SSQL (RLFERRSTC)
The action taken by Db2 when the governor cannot use the resource limit:
NOLIMIT
The static SQL statements run without limit.
NORUN
The static SQL statements terminated with an SQL error code. A number from 1 to 5000000 represents the number of CPU service units allowed for a query.
Db2 12 and later.
RLST Access Err RemDSQL (RLFERRD) (QWP9RLER)
Shows what Db2 does when the governor cannot access the resource limit specification table or when no row in the table matches the currently running statement. :
NOLIMIT
This is the default. It allows all dynamic SQL statements to run without limit.
NORUN
Terminates all dynamic SQL statements immediately with an SQL error code. A number from 1 to 5000000 is the default limit. If the limit is exceeded, the SQL statement is terminated.
RLST Access Err RemSSQL (RLFERRDSTC)
Shows what Db2 does when the governor cannot access the resource limit specification table or when no row in the table matches the currently running statement:
NOLIMIT
This is the default. It allows all static SQL statements to run without limit.
NORUN
Terminates all static SQL statements immediately with an SQL error code. A number from 1 to 5000000 is the default limit; if the limit is exceeded, the SQL statement is terminated.
Db2 12 and later.