PH55025: ADD DB2OPT MQ ADMINISTRATION IDS TO DSNTIJRT/DSNTRIN

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Add DB2OPT MQ Administration IDs to DSNTIJRT/DSNTRIN
  

Local fix

• BYPASS/CIRCUMVENTION:
  NA
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All Db2 13 for z/OS users of the following:                  *
  * o Db2 installation CLIST                                     *
  * o Db2 installation job DSNTIJRT                              *
  *   and program DSNTRIN                                        *
  * o Db2 MQ user-defined functions                              *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * The authorization ID that the Db2                            *
  * installation job DSNTIJRT and program                        *
  * DSNTRIN had granted EXECUTE privilege                        *
  * on a Db2 MQ function is also granted                         *
  * ALL privileges on Db2 MQ tables                              *
  * SYSIBM.MQPOLICY_TABLE and                                    *
  * SYSIBM.MQSERVICE_TABLE.                                      *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Program DSNTRIN is called by job DSNTIJRT to install and
  configure Db2-supplied routines (stored procedures and UDFs),
  including the Db2 objects, such as databases, used by the
  routines. It also detects and corrects missing and down-level
  SQL objects and packages for Db2-supplied routines.
  The Db2 MQ tables SYSIBM.MQPOLICY_TABLE and
  SYSIBM.MQSERVICE_TABLE are used for the administration of
  MQ policies and MQ services used by the Db2 MQ functions.
  Currently, DSNTIJRT/DSNTRIN grants ALL privileges on the Db2
  MQ tables to all the authorization IDs specified in the GRANTTO
  parameter of each Db2 MQ function configuration control
  statement. Therefore, any user with EXECUTE privilege on any
  Db2 MQ function also has ALL privileges on the two Db2 MQ
  tables. This means any user which is allowed to read from or
  write messages into MQ queues via Db2 MQ functions is also able
  to delete or change all administration entries in
  SYSIBM.MQPOLICY_TABLE and SYSIBM.MQSERVICE_TABLE.
  Separation of duties requires different authorization IDs for
  the use of the Db2 MQ functions and for administration of the
  MQ policies and services.
  

Problem conclusion

Temporary fix

Comments

• This APAR enhances DSNTIJRT/DSNTRIN to allow users to specify
  different sets of authorization IDs for execution of the Db2
  MQ functions and for administration of the Db2 MQ policies
  and services.
  With this enhancement, a user can specify a list of
  authorization IDs that will be granted ALL privileges on the
  Db2 MQ tables SYSIBM.MQPOLICY_TABLE and
  SYSIBM.MQSERVICE_TABLE, and at the same time only grant
  SELECT privilege to all the authorization IDs specified in
  the GRANTTO parameter of each Db2 MQ function configuration
  control statement. The list of authorization IDs is specified
  using the new DSNTIJRT/DSNTRIN optional configuration
  (DB2OPT) keyword parameter MQ_ADMIN_ID.
  The example below shows how to specify MQ_ADMIN_ID in job
  DSNTIJRT, with a list of comma-separated authorization IDs:
    //DSNTRIN EXEC PGM=DSNTRIN,COND=(4,LT),
    //             PARM=('DB2SSN(!DSN!) MODE(INSTALL)',
    //             ' AUTHID(!AUTHID!) SECDEFID(!SECDEFID!)',
    //             ' DEFPKOWN(!DEFPKOWN!)')
    . . .
    //DB2OPT   DD  *
      STOGROUP(SYSDEFLT)
      INDEXSTOG(SYSDEFLT)
      BP4K(BP0)
      BP8K(BP8K0)
      BP16K(BP16K0)
      BP32K(BP32K)
      LOBBP8K(BP8K0)
      LOBBP16K(BP16K0)
      LOBBP32K(BP32K)
      IMS_SECURITY(Db2)
      MQ_SECURITY(Db2)
      SOAP_SECURITY(Db2)
      RTN_PKG_APPLCOMPAT(DEFAULT)
      RTN_PKG_PLANMGMT(DEFAULT)
      MQ_ADMIN_ID(MQUID1,MQUID2,MQUID3)
  If a user wants DSNTIJRT/DSNTRIN to continue with the
  pre-APAR PH55025 behavior, where DSNTIJRT/DSNTRIN grants ALL
  privileges on the Db2 MQ tables to all the authorization IDs
  specified in the GRANTTO parameter of each Db2 MQ function
  configuration control statement, they can do either of the
  following:
    o Specify MQ_ADMIN_ID(DEFAULT)
    o Do not specify MQ_ADMIN_ID keyword parameter
  This APAR also modifies the Db2 installation CLIST panel
  DSNTIPG1 (INSTALLATION PREFERENCES PANEL 2) by adding a new
  MQ ADMIN ID(S) field. This field specifies the MQ_ADMIN_ID
  setting for the DB2OPT parameter in job DSNTIJRT.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI93296

Modules/Macros

• DSNTXAZP DSN@RIN  DSNTIWPC DSNTIDXA DSNTIJRT DSNTINS1 DSNTINST
  DSNTIDXC DSNTIDXB DSNTINSV DSNTINM1 DSNTIVMN DSNTIWMN DSNTIVIN
  DSNTIPG1 DSNTIWMS DSNTIVMS DSNTIWIN DSN@XAZP DSNTRIN
  

Fix information

• Fixed component name

  DB2 OS/390 & Z/

• Fixed component ID

  5740XYR00

Applicable component levels

• RD10 PSY UI93296

     UP23/09/06 P F309

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.