A fix is available
APAR status
Closed as new function.
Error description
db2ddf Db2 for z/OS new function.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All Distributed Data Facility (DDF) users. * * Specifically users of system profiles for * * the monitoring of connections for remote * * TCP/IP access into Db2 for z/OS servers. * **************************************************************** * PROBLEM DESCRIPTION: * * This APAR adds the new MONITOR * * product_type CONNECTIONS FOR SECURITY * * keyword functions to Db2 System * * Profile Monitoring. * **************************************************************** * RECOMMENDATION: * **************************************************************** A security administrator lacks granular controls to support the migration and enforcement of their Db2 clients to approved authentication methods and encrypted connections. Currently, migrating applications to compliant authentication methods and to deploy encrypted connections can take a considerable amount of effort and time depending on access type. Some clients such as REST clients can easily enable secure connections while Db2 Connect clients require additional installation steps which prolong its enablement. Having a mechanism which can identify and enforce security compliance selectively based on access type is desirable and allows a user to enable secure connections in a phased manner.
Problem conclusion
Temporary fix
Comments
This APAR provides a simple approach to discover which applications are not using compliant authentication mechanisms or have not enabled encrypted connections so that corrective actions can be taken. This APAR also adds the ability to enforce compliance. The following new actions are added to the KEYWORDS column of the DSN_PROFILE_ATTRIBUTES table: - MONITOR REST CONNECTIONS FOR SECURITY - MONITOR JDBC CONNECTIONS FOR SECURITY - MONITOR CLI CONNECTIONS FOR SECURITY - MONITOR DB2CONNECT CONNECTIONS FOR SECURITY - MONITOR DSN CONNECTIONS FOR SECURITY - MONITOR * CONNECTIONS FOR SECURITY The new keyword values can only be specified for profiles using the default location filtering criteria. These new keyword values enable the definition of profiles, based on application requester product type, to discover and enforce the usage of authorization mechanisms and encrypted connections. This APAR adds the following new DSNT775I and DSNT776I messages: - DSNT775I csect-name SERVER DISTRIBUTED AGENT WITH LUWID=luwid THREAD-INFO=thread-information PRDID=product-identifier FOR LOCATION=location RECEIVED event-type WARNING DUE TO PROFILE ID=profile-id OCCURRED number TIME(S) - DSNT776I csect-name SERVER DISTRIBUTED AGENT WITH LUWID=luwid THREAD-INFO=thread-information PRDID=product-identifier FOR LOCATION=location RECEIVED event-type EXCEPTION DUE TO PROFILE ID=profile-id OCCURRED number TIME(S) For more information about using profiles to monitor remote connections for security purposes, see the Db2 for z/OS documentation: https://www.ibm.com/support/knowledgecenter/en/SSEPEK_13.0.0/ admin/src/tpc/db2z_createprofiles.html ×**** PE23/03/13 FIX IN ERROR. SEE APAR PH53182 FOR DESCRIPTION
APAR Information
APAR number
PH48764
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
D10
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-08-17
Closed date
2023-02-28
Last modified date
2023-04-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI90788
Modules/Macros
DSNLJEMG DSNT1MNA DSNDQW05 DSNWVZCK DSNXECWA DSNLTEXC DSNLTACT DSNLTSEC DSNXECWU DSNLILNR DSNLIRTR DSNFCDIR DSNLZOGV DSNDQW04 DSNLJTIN DSNXESSR DSNLAGNT DSNXELX DSNLQDIS DSNLJHPP DSNLSSST DSNTSTRT DSNT1SDV DSNWARDS DSNFTDIR DSNLCTRC DSNT1MST DSNT1RSP DSNLEDDA DSNXEPM DSNLQINA DSNXECW DSNLTACC
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RD10 PSY UI90788
UP23/03/09 P F303
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"DB2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"D10","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
03 April 2023