Assigning user IDs

To connect to Db2 for z/OS, the IBM Integrated Synchronization component on the accelerator requires a user ID for authentication. A user ID is also needed to verify authorizations for access to the IBM Integrated Synchronization API and to the log records.

About this task

Although you can use any existing user ID for that purpose, a dedicated user ID is recommended. In the upcoming examples, the user ID DB2SYNC is used.

Procedure

  1. Create a dedicated user ID for IBM Integrated Synchronization in RACF®.
    You can use password authentication or PassTicket authentication for this user.

    For PassTicket authentication: Usually, more logon requests are sent to Db2 for z/OS per second than new PassTickets can be generated during that time. To avoid that only one (the first) logon attempt per second succeeds, specify NO REPLAY PROTECTION in the RACF profile for Db2 for z/OS as you activate PassTicket authentication.

    1. Activate the PassTicket by running the following TSO session commands:
      SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
SETROPTS GENERIC(PTKTDATA)
    2. Define the RACF profile for the application (Db2 for z/OS in this case):
      RDEFINE PTKTDATA <applName> SSIGNON(KEYMASKED(<key>)) APPLDATA('NO REPLAY PROTECTION')

      where:

      <applName>

      This is the name of the application that requests and uses the PassTickets. To find the application name, run the Db2 command -DISPLAY DDF. Check the output on the screen.

      1. If GENERICLU is output on the screen, use the second part of GENERICLU as the application name.
      2. If GENERICLU is not defined (no output on screen), use the second part of the logical unit name (LU name) as the application name.
      3. If neither GENERICLU, nor LU is defined, use the value of IPNAME as the application name.
      <key>
      This is the secret token. The secret token is the secure sign-on key with a value of 16 hexadecimal digits (for an 8-byte or 64-bit key), which is defined in RACF for the chosen application name.
      Remember: To enable incremental updates on the IBM Db2 Analytics Accelerator Console later, the application name and the sign-on key are needed. Therefore, make sure to pass this information to the administrator of the accelerator.
    3. Run the following TSO session commands to define the RACF profile for the PassTicket generation:
      RDEFINE PTKTDATA IRRPTAUTH.<applName>.* UACC(NONE)
PERMIT IRRPTAUTH.<applName>.* ID(<db2-ddf-user>) ACCESS(UPDATE) CLASS(PTKTDATA)

      where <db2-ddf-user> is the user ID under which the Db2 DDF address space (DIST) runs.

    4. Finally, refresh and activate the PTKTDATA class:
      SETROPTS RACLIST(PTKTDATA) REFRESH
  2. Add a DSNR profile.
    This profile controls the access to the IBM Integrated Synchronization API. The user ID created in step 1 requires read access to this profile. Ownership must be assigned to the user ID that starts the Db2 subsystem or data sharing member that you want to connect to. The profile name must consist of the Db2 subsystem or member name followed by a dot and the keyword ACCEL.
    For example:
    DB2A.ACCEL
    The RACF commands you need to run to create this profile and grant the required read access are (in accordance with the names previously introduced):
    RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(DB2SYNC) ACCESS(READ)
  3. The user ID created in step 1 also needs read access to the DB2A.DIST profile.
    Most likely, this .DIST profile already exists because it controls all remote access to Db2. If it does not yet exist, define it in the same way as the DB2A.ACCEL profile.
    Example:
    RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.DIST CLASS(DSNR) ID(DB2SYNC) ACCESS(READ)
  4. To access the log records, the DB2SYNC user ID needs MONITOR2 authorization.
    Grant this authorization by using the following commands:
    GRANT MONITOR2 TO DB2SYNC;
COMMIT;
  5. The DB2SYNC user ID also requires permission to run the SYSPROC.ACCEL_SET_TABLES_ACCELERATION and SYSPROC.ACCEL_REMOVE_TABLES stored procedures.
    For details, see the Authorizations for z/OS sections in these topics:
  6. In addition, the DB2SYNC user ID requires read access to the AQTDEF6 and AQTENV data set members of your IBM Db2 Analytics Accelerator installation. The name of the data set that these members belong to depends on your product configuration. Grant the read privilege to the RACF user profile that has access to these members.
    This will probably not be one of the profiles already mentioned, but yet another RACF profile. On a generic basis, the command for this reads:
    PERMIT <profile name> ID(DB2SYNC) ACCESS(READ)

    where <profile name> is the name of the identified RACF profile.

  7. Define an OMVS segment in RACF for the DB2SYNC user ID.