A fix is available
APAR status
Closed as new function.
Error description
Add DB2OPT MQ Administration IDs to DSNTIJRT/DSNTRIN
Local fix
BYPASS/CIRCUMVENTION: NA
Problem summary
**************************************************************** * USERS AFFECTED: * * All Db2 13 for z/OS users of the following: * * o Db2 installation CLIST * * o Db2 installation job DSNTIJRT * * and program DSNTRIN * * o Db2 MQ user-defined functions * **************************************************************** * PROBLEM DESCRIPTION: * * The authorization ID that the Db2 * * installation job DSNTIJRT and program * * DSNTRIN had granted EXECUTE privilege * * on a Db2 MQ function is also granted * * ALL privileges on Db2 MQ tables * * SYSIBM.MQPOLICY_TABLE and * * SYSIBM.MQSERVICE_TABLE. * **************************************************************** * RECOMMENDATION: * **************************************************************** Program DSNTRIN is called by job DSNTIJRT to install and configure Db2-supplied routines (stored procedures and UDFs), including the Db2 objects, such as databases, used by the routines. It also detects and corrects missing and down-level SQL objects and packages for Db2-supplied routines. The Db2 MQ tables SYSIBM.MQPOLICY_TABLE and SYSIBM.MQSERVICE_TABLE are used for the administration of MQ policies and MQ services used by the Db2 MQ functions. Currently, DSNTIJRT/DSNTRIN grants ALL privileges on the Db2 MQ tables to all the authorization IDs specified in the GRANTTO parameter of each Db2 MQ function configuration control statement. Therefore, any user with EXECUTE privilege on any Db2 MQ function also has ALL privileges on the two Db2 MQ tables. This means any user which is allowed to read from or write messages into MQ queues via Db2 MQ functions is also able to delete or change all administration entries in SYSIBM.MQPOLICY_TABLE and SYSIBM.MQSERVICE_TABLE. Separation of duties requires different authorization IDs for the use of the Db2 MQ functions and for administration of the MQ policies and services.
Problem conclusion
Temporary fix
Comments
This APAR enhances DSNTIJRT/DSNTRIN to allow users to specify different sets of authorization IDs for execution of the Db2 MQ functions and for administration of the Db2 MQ policies and services. With this enhancement, a user can specify a list of authorization IDs that will be granted ALL privileges on the Db2 MQ tables SYSIBM.MQPOLICY_TABLE and SYSIBM.MQSERVICE_TABLE, and at the same time only grant SELECT privilege to all the authorization IDs specified in the GRANTTO parameter of each Db2 MQ function configuration control statement. The list of authorization IDs is specified using the new DSNTIJRT/DSNTRIN optional configuration (DB2OPT) keyword parameter MQ_ADMIN_ID. The example below shows how to specify MQ_ADMIN_ID in job DSNTIJRT, with a list of comma-separated authorization IDs: //DSNTRIN EXEC PGM=DSNTRIN,COND=(4,LT), // PARM=('DB2SSN(!DSN!) MODE(INSTALL)', // ' AUTHID(!AUTHID!) SECDEFID(!SECDEFID!)', // ' DEFPKOWN(!DEFPKOWN!)') . . . //DB2OPT DD * STOGROUP(SYSDEFLT) INDEXSTOG(SYSDEFLT) BP4K(BP0) BP8K(BP8K0) BP16K(BP16K0) BP32K(BP32K) LOBBP8K(BP8K0) LOBBP16K(BP16K0) LOBBP32K(BP32K) IMS_SECURITY(Db2) MQ_SECURITY(Db2) SOAP_SECURITY(Db2) RTN_PKG_APPLCOMPAT(DEFAULT) RTN_PKG_PLANMGMT(DEFAULT) MQ_ADMIN_ID(MQUID1,MQUID2,MQUID3) If a user wants DSNTIJRT/DSNTRIN to continue with the pre-APAR PH55025 behavior, where DSNTIJRT/DSNTRIN grants ALL privileges on the Db2 MQ tables to all the authorization IDs specified in the GRANTTO parameter of each Db2 MQ function configuration control statement, they can do either of the following: o Specify MQ_ADMIN_ID(DEFAULT) o Do not specify MQ_ADMIN_ID keyword parameter This APAR also modifies the Db2 installation CLIST panel DSNTIPG1 (INSTALLATION PREFERENCES PANEL 2) by adding a new MQ ADMIN ID(S) field. This field specifies the MQ_ADMIN_ID setting for the DB2OPT parameter in job DSNTIJRT.
APAR Information
APAR number
PH55025
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
D10
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-06-07
Closed date
2023-08-24
Last modified date
2023-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI93296
Modules/Macros
DSNTXAZP DSN@RIN DSNTIWPC DSNTIDXA DSNTIJRT DSNTINS1 DSNTINST DSNTIDXC DSNTIDXB DSNTINSV DSNTINM1 DSNTIVMN DSNTIWMN DSNTIVIN DSNTIPG1 DSNTIWMS DSNTIVMS DSNTIWIN DSN@XAZP DSNTRIN
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RD10 PSY UI93296
UP23/09/06 P F309
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"DB2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"D10","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
02 October 2023