A fix is available
APAR status
Closed as program error.
Error description
DOC COMCRIT
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of DB2 Version 11 for z/OS who * * wish to enable a Common Criteria environment * * for DB2 are affected by this change. * **************************************************************** * PROBLEM DESCRIPTION: Add support for establishing a Common * * Criteria environment in DB2 Version 11 * * for z/OS. * **************************************************************** * RECOMMENDATION: Apply the fixing PTF for this APAR. * **************************************************************** Common Criteria is an international standard that provides a framework in which the security attributes of products are specified and evaluated, thus assuring customers that the products are adequate for the target environment of use. A Common Criteria-compliant environment is very restrictive and is not intended for use by most DB2 customers. Common Criteria certification of DB2 Version 11 for z/OS is in progress (refer to certification ID BSI-DSZ-CC-0884). When certification is achieved, an announcement will be made with instructions for ordering the certified product. For more information about installing DB2 11 to be Common Criteria compliant, and maintaining a Common Criteria-evaluated configuration of DB2 11, see "DB2 V11 for z/OS Requirements for the Common Criteria" (SC19-4011).
Problem conclusion
This APAR introduces optional functionality that allows you to establish a Common Criteria-compliant environment in DB2 Version 11 for z/OS. It documents a DB2 subystem parameter called COMCRIT for enabling the Common Criteria environment on DB2 11. The Common Criteria environment in DB2 is disabled by default. Do not enable the Common Criteria environment before you have applied the following PTFs in addition to this PTF: PTF APAR Product ------- ------- ------------ UI12584 PM97111 DB2 for z/OS UA67637 OA39506 z/OS UA67929 OA39487 z/OS UA67930 OA39486 z/OS Also do not enable the Common Criteria environment unless all existing work on DB2 can support multilevel security. Multilevel security is a security policy that allows the classification of data and users based on a system of hierarchical security levels combined with a system of non- hierarchical security categories. For general information about multilevel security and using multilevel security with the Common Criteria, see "z/OS Planning for Multilevel Security and the Common Criteria" (GA22-7509). See the DB2 11 Administration Guide for information on how to implement and use multilevel security in DB2. Subsystem parameter: COMCRIT ----------------------------- A DB2 subsystem parameter called COMCRIT allows you to activate the Common Criteria environment. COMCRIT is online-updateable and can be set to NO or YES: * NO is the default value. A value of NO results in compatible behavior and does not change the current operation of DB2. * YES activates the Common Criteria environment, which provides a basic operational change in DB2: Every new table that is created is required to have a security label column, which enables multilevel security. If the AS SECURITY LABEL clause is missing from a CREATE TABLE statement, then DB2 issues an error and the table is not created. Existing tables are not affected. In DB2 data sharing, use the same COMCRIT setting for all members of the group. Attention: Setting the value of COMCRIT to YES will cause some of the current DB2 installation and migration processes to fail. A value of YES for COMCRIT can also affect installation, configuration, and use of other software products that require DB2. See the description below of SQL restrictions that apply when DB2 operates in the Common Criteria environment. Run all DB2 installation jobs that create user-managed tables before enabling the Common Criteria environment. Once the environment is in effect, if you encounter errors when processing DB2- supplied DDL or other DDL, change the value of COMCRIT to NO to process the DDL or modify the DDL by adding security label columns to the DDL tables. SQL restrictions: ----------------- When DB2 is started in a Common Criteria environment, DB2 issues the new SQLCODE -4708 under the following circumstances: * Whenever a CREATE TABLE statement does not include a column with the AS SECURITY LABEL clause. Every normal base table must include a security label column in a Common Criteria environment. * Whenever a CREATE or ALTER TABLE statement attempts to define a materialized query table. You cannot define materialized query tables in a Common Criteria environment. * Whenever the LIKE or AS (fullselect) clauses are specified as part of a CREATE TABLE or DECLARE GLOBAL TEMPORARY TABLE statement. These clauses are not supported in a Common Criteria environment. Enabling the Common Criteria environment ---------------------------------------- Do not enable the Common Criteria environment unless both of the following conditions are true: - You have applied the following PTF in addition to the PTF for this APAR: PTF APAR Product ------- ------- ------------ UI12584 PM97111 DB2 for z/OS UA67637 OA39506 z/OS UA67929 OA39487 z/OS UA67930 OA39486 z/OS - All existing work on DB2 can support multilevel security To enable the Common Criteria environment, update your DB2 11 system parameter (DSNZxxx) module as follows: (1) Verify that all existing work on DB2 can support multilevel security and complies with the SQL restrictions that are described above. Important: If DB2 does not support multilevel security or does not comply with the SQL restrictions that are described above, do not proceed. (2) Edit your customized copy of DSNTIJUZ. (3) Add COMCRIT=YES to the DSN6SPRM parameter list. (4) Run DSNTIJUZ to regenerate your DB2 system parameter (DSNZPxxx) module. (5) Run the SET SYSPARM command or stop and start DB2 to make the change effective. (6) To facilitate migration to future DB2 releases, update the COMCRIT entry in your private DSNTIDxx members for DB2 11 to indicate that the setting is YES.
Temporary fix
Comments
APAR Information
APAR number
PI17699
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
B10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-05-09
Closed date
2014-08-05
Last modified date
2014-09-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI20280
Modules/Macros
DSNDQWPZ DSNDSPRM DSN6SPRM
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RB10 PSY UI20280
UP14/08/20 P F408
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"DB2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
31 July 2023