IBM Support

PI17699: DOCUMENT COMCRIT PARAMETER IN DB2 11

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DOC COMCRIT
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of DB2 Version 11 for z/OS who     *
    *                 wish to enable a Common Criteria environment *
    *                 for DB2 are affected by this change.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: Add support for establishing a Common   *
    *                      Criteria environment in DB2 Version 11  *
    *                      for z/OS.                               *
    ****************************************************************
    * RECOMMENDATION: Apply the fixing PTF for this APAR.          *
    ****************************************************************
    Common Criteria is an international standard that provides a
    framework in which the security attributes of products are
    specified and evaluated, thus assuring customers that the
    products are adequate for the target environment of use.  A
    Common Criteria-compliant environment is very restrictive and
    is not intended for use by most DB2 customers.
    
    Common Criteria certification of DB2 Version 11 for z/OS is
    in progress (refer to certification ID BSI-DSZ-CC-0884).
    When certification is achieved, an announcement will be made
    with instructions for ordering the certified product.
    
    For more information about installing DB2 11 to be Common
    Criteria compliant, and maintaining a Common Criteria-evaluated
    configuration of DB2 11, see "DB2 V11 for z/OS Requirements
    for the Common Criteria" (SC19-4011).
    

Problem conclusion

  • This APAR introduces optional functionality that allows you to
    establish a Common Criteria-compliant environment in DB2 Version
    11 for z/OS.  It documents a DB2 subystem parameter called
    COMCRIT for enabling the Common Criteria environment on DB2 11.
    
    The Common Criteria environment in DB2 is disabled by default.
    Do not enable the Common Criteria environment before you have
    applied the following PTFs in addition to this PTF:
      PTF       APAR     Product
      -------   -------  ------------
      UI12584   PM97111  DB2 for z/OS
      UA67637   OA39506  z/OS
      UA67929   OA39487  z/OS
      UA67930   OA39486  z/OS
    Also do not enable the Common Criteria environment unless
    all existing work on DB2 can support multilevel security.
    Multilevel security is a security policy that allows the
    classification of data and users based on a system of
    hierarchical security levels combined with a system of non-
    hierarchical security categories. For general information about
    multilevel security and using multilevel security with the
    Common Criteria, see "z/OS Planning for Multilevel Security and
    the Common Criteria" (GA22-7509). See the DB2 11 Administration
    Guide for information on how to implement and use multilevel
    security in DB2.
    
    Subsystem parameter: COMCRIT
    -----------------------------
    A DB2 subsystem parameter called COMCRIT allows you to activate
    the Common Criteria environment.  COMCRIT is online-updateable
    and can be set to NO or YES:
    * NO is the default value. A value of NO results in compatible
      behavior and does not change the current operation of DB2.
    * YES activates the Common Criteria environment, which provides
      a basic operational change in DB2: Every new table that is
      created is required to have a security label column, which
      enables multilevel security.  If the AS SECURITY LABEL clause
      is missing from a CREATE TABLE statement, then DB2 issues an
      error and the table is not created.  Existing tables are not
      affected.
    
    In DB2 data sharing, use the same COMCRIT setting for all
    members of the group.
    
    Attention: Setting the value of COMCRIT to YES will cause some
          of the current DB2 installation and migration processes to
          fail.  A value of YES for COMCRIT can also affect
          installation, configuration, and use of other software
          products that require DB2.  See the description below of
          SQL restrictions that apply when DB2 operates in the
          Common Criteria environment.  Run all DB2 installation
          jobs that create user-managed tables before enabling the
          Common Criteria environment.  Once the environment is in
          effect, if you encounter errors when processing DB2-
          supplied DDL or other DDL, change the value of COMCRIT to
          NO to process the DDL or modify the DDL by adding security
          label columns to the DDL tables.
    
    SQL restrictions:
    -----------------
    When DB2 is started in a Common Criteria environment, DB2 issues
    the new SQLCODE -4708 under the following circumstances:
    * Whenever a CREATE TABLE statement does not include a column
      with the AS SECURITY LABEL clause.  Every normal base table
      must include a security label column in a Common Criteria
      environment.
    * Whenever a CREATE or ALTER TABLE statement attempts to define
      a materialized query table.  You cannot define materialized
      query tables in a Common Criteria environment.
    * Whenever the LIKE or AS (fullselect) clauses are specified as
      part of a CREATE TABLE or DECLARE GLOBAL TEMPORARY TABLE
      statement.  These clauses are not supported in a Common
      Criteria environment.
    
    Enabling the Common Criteria environment
    ----------------------------------------
    Do not enable the Common Criteria environment unless both of the
    following conditions are true:
    - You have applied the following PTF in addition to the PTF for
      this APAR:
        PTF       APAR     Product
        -------   -------  ------------
        UI12584   PM97111  DB2 for z/OS
        UA67637   OA39506  z/OS
        UA67929   OA39487  z/OS
        UA67930   OA39486  z/OS
    - All existing work on DB2 can support multilevel security
    
    To enable the Common Criteria environment, update your DB2 11
    system parameter (DSNZxxx) module as follows:
    (1) Verify that all existing work on DB2 can support multilevel
        security and complies with the SQL restrictions that are
        described above.
            Important: If DB2 does not support multilevel security
            or does not comply with the SQL restrictions that are
            described above, do not proceed.
    (2) Edit your customized copy of DSNTIJUZ.
    (3) Add COMCRIT=YES to the DSN6SPRM parameter list.
    (4) Run DSNTIJUZ to regenerate your DB2 system parameter
        (DSNZPxxx) module.
    (5) Run the SET SYSPARM command or stop and start DB2 to make
        the change effective.
    (6) To facilitate migration to future DB2 releases, update the
        COMCRIT entry in your private DSNTIDxx members for DB2 11
        to indicate that the setting is YES.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI17699

  • Reported component name

    DB2 OS/390 & Z/

  • Reported component ID

    5740XYR00

  • Reported release

    B10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-05-09

  • Closed date

    2014-08-05

  • Last modified date

    2014-09-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI20280

Modules/Macros

  •    DSNDQWPZ DSNDSPRM DSN6SPRM
    

Fix information

  • Fixed component name

    DB2 OS/390 & Z/

  • Fixed component ID

    5740XYR00

Applicable component levels

  • RB10 PSY UI20280

       UP14/08/20 P F408

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0"}]

Document Information

Modified date:
04 March 2021