Setting up DBA user for Unified Management Server

Edit online

Unified Management Server (UMS) uses the DBA user ID (also referred to as UMS DBA user ID) for requesting several backend system and subsystem services. UMS uses this ID both on behalf of a logged-in user and without any user interaction.

Role for DBA user in Unified Management Server

Unified Management Server uses the DBA user ID in the following contexts:

On behalf of a logged-in user: The DBA user ID performs actions that require elevated privileges that the logged-in user does not have. For example, UMS uses the DBA user ID for some actions during a subsystem registration, which is initiated by a logged-in user.
Without a logged-in user: The DBA user ID performs background tasks that the UMS initiates without user interaction. For example, UMS uses the DBA user ID for subsystem discovery.

IBM recommends using a service user ID (also referred to as a technical user) as the DBA user ID. A service user ID represents a system function and is not associated with an individual.

The DBA user ID and the UMS logged-in user ID that initiates a task or action have different purposes and different security requirements. This documentation describes the security requirements for each role separately. The same user ID can be used as both the DBA user and the started task user. In that case, the user ID must meet the security requirements for both roles.

You can define a DBA user ID as the UMS default DBA user ID. All experience products require the default DBA user ID.

You can use this default DBA user ID for all registered Db2 subsystems. You can also define a specific DBA user for an individual Db2 subsystem when registering it for Db2® Administration Foundation or Db2 DevOps Experience. For information about specifying a subsystem-specific DBA user, see Registering Db2 subsystems. IMS Administration Foundation always uses the default UMS DBA user ID for all registered IMS data sharing groups.

Whether the DBA user ID is the default one or a subsystem-specific one, it requires a specific set of privileges to perform the backend system and subsystem tasks. Some user ID characteristics and privileges that are common across Db2 and IMS, and others are specific to a particular subsystem type.

Common requirements for a DBA user ID

Every DBA user ID must have the following characteristics:

A DBA user ID must have an OMVS segment.
A DBA user ID must be assigned a UID and a GID in OMVS.
A DBA user ID has z/OSMF user privileges for its z/OS jobs REST services and z/OS data set and file REST services.
Note: These privileges require the TSO segment that is added to the DBA user ID. For details, see 'Configure the z/OS jobs REST services' topic and 'Configure the z/OS data set and file REST services' topic in z/OS Management Facility Configuration Guide.

Db2-specific privileges for a DBA user ID

The default DBA user ID is used for Db2 subsystem discovery. For backend processing related to Db2 Administration Foundation or Db2 DevOps Experience features, you can use either the default DBA user ID or a subsystem-specific DBA user ID.

Every DBA user ID that is used for Db2 must have the following privileges:

Ability to execute Db2 SQL statements and commands that are applicable to the experience(s) you have enabled. For a list of Db2 operations that the DBA user ID performs, see Db2 operations executed by the DBA user in DevOps Experience and Db2 operations executed by the DBA user in Db2 Administration Foundation.
ALTER access to the temporary data sets that has the high-level qualifier defined by the tempDatasetHLQ parameter. For more details, see the description for the PARMLIB member IZPDB2PM in Installing Db2 DevOps Experience.

For more details on the Db2 privileges, see Db2 security setup topics in Db2 for z/OS documentation.

IMS-specific privileges for a DBA user ID

The default DBA user ID is used for IMS object discovery and all backend processing for IMS Administration Foundation features. The default DBA user ID must have the following privileges when IMS Administration Foundation is activated:

IMS system administrator or IMS system programmer privileges for each IMS subsystem used for UMS. For more information, see Security setup for IMS Administration Foundation.
ALTER access to the temporary data sets that has the high-level qualifier defined by imsTempDatasetHLQ parameter. For more information, see the description for the PARMLIB member IZPIMSPM in Installing IMS Administration Foundation.

Specifying the UMS DBA user

There are two ways of specifying the default DBA user for a Unified Management Server instance:

Method 1: Specifying a DBA user by user ID and encryption token

In this method, the UMS DBA user and its password must be encrypted by using an encryption key. A cryptographic token must be created to access the key. The user must specify the default DBA user by its user ID and the token in the UMS configuration. During the UMS installation process, the user ID and a user-provided password are encrypted by using the key and stored for the use of UMS. The default DBA user ID and its token are specified in the configuration parameter section of components.izp.security.pkcs11. For details, see Step 2: Installing Unified Management Server.
You can change this default DBA user ID for a Db2 subsystem when you register it for Db2 Administration Foundation or Db2 DevOps Experience. For details on how to specify a DBA user that is specific to a Db2 subsystem, see Registering Db2 subsystems.
Method 2: Specifying a DBA user by certificate

In this method, you need to specify a key ring of a certificate that is associated with the default UMS DBA user ID in the UMS configuration. Using a protected user ID as the default DBA user ID is recommended. For details on preparing the DBA user ID and its associated certificate and key ring, see Configuring the DBA user by using a certificate.

UMS supports Method 1 for both Db2 and IMS in all supported security manager environments. To use Method 2 for Db2 Administration Foundation or Db2 DevOps Experience, the UMS maintenance level must be 1.2.0.8 or later. To use Method 2 for IMS Administration Foundation, the UMS maintenance level must be 1.2.0.6 or later.

Recommendation: If you plan to use Method 2 for IMS Administration Foundation on a UMS instance without an activated Db2 experience product on UMS maintenance level 1.2.0.7 or earlier, it is highly recommended to specify the UMS server startup JVM argument com.rocketsoft.izp.avoidDb2ConnectionsInSystemDiscovery=true. For details on how to specify the JVM argument, see the parameter components.izp.server.javaArgs in Step 2: Installing Unified Management Server.

Note: You need not specify the JVM argument in UMS version 1.2.0.8 or later as com.rocketsoft.izp.avoidDb2ConnectionsInSystemDiscovery=true is the default.

Restriction: In Unified Management Server 1.2.0.6 or earlier maintenance levels, if you want to use both Db2 experience and IMS Administration Foundation products on the same UMS server instance, you must use Method 1. A protected user cannot be used as the UMS default DBA user.

For details on how to configure UMS and IMS Administration Foundation for Method 2, see Installing IMS Administration Foundation and its subsections.