Creating an instance with non-root DB2 privileges

Edit online

You can create a directory server instance with non-root DB2® privileges.

Procedure

  1. Create user.
    1. If IBM® Security Verify Directory is installed, create a user with the idsadduser command.
    2. If not, add the user with the following commands:
      On AIX®
      # mkgroup "users=root" idsldap
# useradd -d /home/nrinst1 -g idsldap -G idsldap -m -s /usr/bin/ksh nrinst1
# passwd nrinst1
# pwdadm -c nrinst1
# chmod -R 755 /home/nrinst1
      On Linux®
      # groupadd idsldap
# usermod -G root,idsldap root    #(add other groups as required)
# useradd -d /home/nrinst1 -g idsldap -G idsldap -m -s /usr/bin/ksh nrinst1
# passwd nrinst1
# chmod -R 755 /home/nrinst1
  2. Install non-root DB2.
    1. Create the response file (created one with minimal requirements at /tmp/server.rsp):
      PROD = DB2_SERVER_EDITION
LIC_AGREEMENT = ACCEPT
INSTALL_TYPE = TYPICAL
    2. Run the db2setup. Mount the DB2 installation media on /home/mytmp. 
      # su - nrinst1 -c "/home/mytmp/db2setup -r /tmp/server.rsp -l /tmp/db2setup_server.log -t /tmp/db2setup_server.trc"
    3. Accept the license first with db2licm.
      # su - nrinst1
$ db2licm -a /home/mytmp/db2/license/db2ese_o.lic
    4. Check the license.
      # su - nrinst1 
$ db2licm -l
      Note: You might see the following warnings: 
      * lsdev: 0514-521 Cannot find information in the predefined device 
* configuration database for the customized device gpfsraid0. 
* lsdev: 0514-521 Cannot find information in the predefined device 
* configuration database for the customized device gpfsraid0. *
      These warnings are probably related to the response file, so are safe to ignore.
      
# su - nrinst1
$ echo $DB2INSTANCE
If it's not there, export it with:
$ export DB2INSTANCE=nrinst1
$ db2stop
$ cd
$ sqllib/instance/db2nrupdt
    5. Create a DB2 prerequisite check skip file.
      # mkdir -p /opt/IBM/ldap/V10.0.4/install
# touch /opt/IBM/ldap/V10.0.4/install/IBMLDAP_INSTALL_SKIPDB2REQ
    6. As a root user, install or upgrade to the latest IBM Security Verify Directory packages, or install the latest fix packs if already installed.

      If not previously installed

      # idsinstall -i
Then create the symbolic links:

      Or, if already installed

      # idsinstall -u -f
      Then, create the symbolic links 
      # /opt/IBM/ldap/V10.0.4/bin/idslink -i -g -l 64 -s nrinst1 -n
    7. Configure ldapdb.properties.
      $ echo "DB2Type=NON-ROOT" > /home/nrinst1/ldapdb.properties
$ echo "currentDB2InstallPath=/home/nrinst1/sqllib" >> /home/nrinst1/ldapdb.properties
$ echo "currentDB2Version=12.1.2" >> /home/nrinst1/ldapdb.properties

$ echo "INSTANCENAME=nrinst1" > /home/nrinst1/db2rfe.cfg
$ echo "ENABLE_OS_AUTHENTICATION=YES" >> /home/nrinst1/db2rfe.cfg
$ echo >> /home/nrinst1/db2rfe.cfg
$ db2stop
    8. Run DB2RFE as root:
      # /home/nrinst1/sqllib/instance/db2rfe -f /home/nrinst1/db2rfe.cfg
    9. Replace ldapdb.properties on /opt/IBM/ldap/V10.0.4/etc with the one that you generated previously. Ensure that you back up first.
      # cp /opt/IBM/ldap/V10.0.4/etc/ldapdb.properties /opt/IBM/ldap/V10.0.4/etc/ldapdb.properties.backup
# cat /home/nrinst1/ldapdb.properties > /opt/IBM/ldap/V10.0.4/etc/ldapdb.properties
    10. Proceed with the idsicrt command:
      # /opt/IBM/ldap/V10.0.4/sbin/idsicrt -I nrinst1 -e encrypt_seed -g encrypt_salt -t nrinst1 -l /home/nrinst1 -n
    11. If needed, verify and update ownership and group ownership on the sqlnodir folder.

      After step 2.j, the group ownership might be set incorrectly to be owned by the root group.

      # ls -la /home/nrinst1/sqllib/sqlnodir/ 
total 12 
drwxrwxr-x. 2 root root 36 Apr 25 16:18 . 
drwxr-xr-x. 51 nrinst1 idsldap 4096 Apr 25 16:18 .. 
-rw-rw-r--. 1 root root 32 Apr 25 16:34 sqlnobak 
-rw-rw-r--. 1 root root 32 Apr 25 16:34 sqlnodir

      If the group ownership is not set to the primary group (idsldap) of non root instance user nrinst1, you must update the group ownership:

      # chgrp -R idsldap /home/nrinst1/sqllib/sqlnodir

      After the group ownership is updated, the expected output is the following code.

      # ls -la /home/nrinst1/sqllib/sqlnodir/ 
total 16 
drwxrwxr-x. 2 root idsldap 36 Apr 25 16:18 . 
drwxr-xr-x. 51 nrinst1 idsldap 4096 Apr 25 16:18 .. 
-rw-rw-r--. 1 root idsldap 32 Apr 25 16:34 sqlnobak 
-rw-rw-r--. 1 root idsldap 32 Apr 25 16:34 sqlnodir
      Note: This step is required because the DB2 API that is used inside idsicrt changed its behavior with DB2 V10.5 and later versions. With DB2 V9.7 (along with TDS 6.3 / SDS 6.3.1), ownership is set correctly to root/idsldap by default.
  3. Configure the database:
    # su - nrinst1
$ idscfgdb -I nrinst1 -w object00 -a nrinst1 -t nrinst1 -l /home/nrinst1 -n
  4. Configure admin DN.
    $ idsdnpw -I nrinst1 -u cn=root -p object00 -n
  5. Configure the suffix.
    $ idscfgsuf -I nrinst1 -s o=sample
  6. Load data to the DIT.
    $ idsldif2db -I nrinst1 -i /opt/IBM/ldap/V10.0.4/examples/sample.ldif