PI17699: DOCUMENT COMCRIT PARAMETER IN DB2 11

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• DOC COMCRIT
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of DB2 Version 11 for z/OS who     *
  *                 wish to enable a Common Criteria environment *
  *                 for DB2 are affected by this change.         *
  ****************************************************************
  * PROBLEM DESCRIPTION: Add support for establishing a Common   *
  *                      Criteria environment in DB2 Version 11  *
  *                      for z/OS.                               *
  ****************************************************************
  * RECOMMENDATION: Apply the fixing PTF for this APAR.          *
  ****************************************************************
  Common Criteria is an international standard that provides a
  framework in which the security attributes of products are
  specified and evaluated, thus assuring customers that the
  products are adequate for the target environment of use.  A
  Common Criteria-compliant environment is very restrictive and
  is not intended for use by most DB2 customers.
  
  Common Criteria certification of DB2 Version 11 for z/OS is
  in progress (refer to certification ID BSI-DSZ-CC-0884).
  When certification is achieved, an announcement will be made
  with instructions for ordering the certified product.
  
  For more information about installing DB2 11 to be Common
  Criteria compliant, and maintaining a Common Criteria-evaluated
  configuration of DB2 11, see "DB2 V11 for z/OS Requirements
  for the Common Criteria" (SC19-4011).
  

Problem conclusion

• This APAR introduces optional functionality that allows you to
  establish a Common Criteria-compliant environment in DB2 Version
  11 for z/OS.  It documents a DB2 subystem parameter called
  COMCRIT for enabling the Common Criteria environment on DB2 11.
  
  The Common Criteria environment in DB2 is disabled by default.
  Do not enable the Common Criteria environment before you have
  applied the following PTFs in addition to this PTF:
    PTF       APAR     Product
    -------   -------  ------------
    UI12584   PM97111  DB2 for z/OS
    UA67637   OA39506  z/OS
    UA67929   OA39487  z/OS
    UA67930   OA39486  z/OS
  Also do not enable the Common Criteria environment unless
  all existing work on DB2 can support multilevel security.
  Multilevel security is a security policy that allows the
  classification of data and users based on a system of
  hierarchical security levels combined with a system of non-
  hierarchical security categories. For general information about
  multilevel security and using multilevel security with the
  Common Criteria, see "z/OS Planning for Multilevel Security and
  the Common Criteria" (GA22-7509). See the DB2 11 Administration
  Guide for information on how to implement and use multilevel
  security in DB2.
  
  Subsystem parameter: COMCRIT
  -----------------------------
  A DB2 subsystem parameter called COMCRIT allows you to activate
  the Common Criteria environment.  COMCRIT is online-updateable
  and can be set to NO or YES:
  * NO is the default value. A value of NO results in compatible
    behavior and does not change the current operation of DB2.
  * YES activates the Common Criteria environment, which provides
    a basic operational change in DB2: Every new table that is
    created is required to have a security label column, which
    enables multilevel security.  If the AS SECURITY LABEL clause
    is missing from a CREATE TABLE statement, then DB2 issues an
    error and the table is not created.  Existing tables are not
    affected.
  
  In DB2 data sharing, use the same COMCRIT setting for all
  members of the group.
  
  Attention: Setting the value of COMCRIT to YES will cause some
        of the current DB2 installation and migration processes to
        fail.  A value of YES for COMCRIT can also affect
        installation, configuration, and use of other software
        products that require DB2.  See the description below of
        SQL restrictions that apply when DB2 operates in the
        Common Criteria environment.  Run all DB2 installation
        jobs that create user-managed tables before enabling the
        Common Criteria environment.  Once the environment is in
        effect, if you encounter errors when processing DB2-
        supplied DDL or other DDL, change the value of COMCRIT to
        NO to process the DDL or modify the DDL by adding security
        label columns to the DDL tables.
  
  SQL restrictions:
  -----------------
  When DB2 is started in a Common Criteria environment, DB2 issues
  the new SQLCODE -4708 under the following circumstances:
  * Whenever a CREATE TABLE statement does not include a column
    with the AS SECURITY LABEL clause.  Every normal base table
    must include a security label column in a Common Criteria
    environment.
  * Whenever a CREATE or ALTER TABLE statement attempts to define
    a materialized query table.  You cannot define materialized
    query tables in a Common Criteria environment.
  * Whenever the LIKE or AS (fullselect) clauses are specified as
    part of a CREATE TABLE or DECLARE GLOBAL TEMPORARY TABLE
    statement.  These clauses are not supported in a Common
    Criteria environment.
  
  Enabling the Common Criteria environment
  ----------------------------------------
  Do not enable the Common Criteria environment unless both of the
  following conditions are true:
  - You have applied the following PTF in addition to the PTF for
    this APAR:
      PTF       APAR     Product
      -------   -------  ------------
      UI12584   PM97111  DB2 for z/OS
      UA67637   OA39506  z/OS
      UA67929   OA39487  z/OS
      UA67930   OA39486  z/OS
  - All existing work on DB2 can support multilevel security
  
  To enable the Common Criteria environment, update your DB2 11
  system parameter (DSNZxxx) module as follows:
  (1) Verify that all existing work on DB2 can support multilevel
      security and complies with the SQL restrictions that are
      described above.
          Important: If DB2 does not support multilevel security
          or does not comply with the SQL restrictions that are
          described above, do not proceed.
  (2) Edit your customized copy of DSNTIJUZ.
  (3) Add COMCRIT=YES to the DSN6SPRM parameter list.
  (4) Run DSNTIJUZ to regenerate your DB2 system parameter
      (DSNZPxxx) module.
  (5) Run the SET SYSPARM command or stop and start DB2 to make
      the change effective.
  (6) To facilitate migration to future DB2 releases, update the
      COMCRIT entry in your private DSNTIDxx members for DB2 11
      to indicate that the setting is YES.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI20280

Modules/Macros

•    DSNDQWPZ DSNDSPRM DSN6SPRM
  

Fix information

• Fixed component name

  DB2 OS/390 & Z/

• Fixed component ID

  5740XYR00

Applicable component levels

• RB10 PSY UI20280

     UP14/08/20 P F408

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.