PI56002: FALLBACK TO INTERNAL DB2 SECURITY WHEN DB2 IS CONFIGURED FOR EXTERNAL SECURITY

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Under certain circumstances OMPE will fall back to using DB2
  internal security after the DB2 subsystem has been converted to
  use an external security system like RACF.
  
  SCENERIO
  - user "JOHN" is defined with access NONE in the RACF class
  MDSNSM,profile ssid.MONITOR1
  - user "JOHN" is also defined in DB2 internal security table
  SYSIBM.SYSUSERAUTH with access to MON1AUTH
  
  Access is allowed for JOHN. In this scenario OMPE should not
  fall back to DB2 internal security and John should not be
  allowed to start the trace.
  
  There are ways to define a general purpose profile that would
  prevent the external security from ever responding back to DB2
  that no profile is defined. This disables DB2 from ever using
  DB2 internal security to provide the privilege to gain access to
  any DB2 object..
  

Local fix

• apply PTF
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: OMEGAMON XE for DB2 PE/DB2PM                 *
  *                 users of component                           *
  *                 - PE Server subtask                          *
  ****************************************************************
  * PROBLEM DESCRIPTION: In a RACF environment logon from the    *
  *                      ISPF Online Monitor to PE Server        *
  *                      succeeds although the logon user ID     *
  *                      has no DB2 monitor privilege.           *
  ****************************************************************
  * RECOMMENDATION: Apply this PTF.                              *
  ****************************************************************
  PROBLEM SUMMARY:
  When access to DB2 resources is secured through RACF and the
  ISPF logon user ID is not authorized to monitor the DB2
  subsystem, the PE Server subtask ignores the RACF decision
  and checks whether monitor privilege is granted by DB2 internal
  security. If a corresponding entry for the user ID is found in
  the DB2 catalog table SYSIBM.SYSUSERAUTH, the DB2 subsystem can
  be monitored from the ISPF Online Monitor interface through
  PE Server.
  If external security (RACF) is active and the DB2 resources are
  protected by corresponding profiles, PE Server must not check
  DB2 internal security in addition because only external
  security checking is intended and expected.
  
  PROBLEM CONCLUSION:
  The code has been corrected accordingly to check monitor
  privileges using either external security or internal security.
  
  KEYWORDS:
  ISPF OLM CONNECTION PE SERVER
  

Problem conclusion

• The code has been corrected accordingly to check monitor
  privileges using either external security or internal security.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI37743 UI37744

Modules/Macros

• DGOVDB2F DGOVDB2I DGOVMSTR DGOZUAUT FPE@DB2S FPEUFFER FPEUFFE2
  FPEUFIOI FPEUFIO2 FPEUFOCR FPEUFOC2 FPEUFTDS FPEUFTS2 FPEUFUIS
  FPEUFUIT FPEUFUNI FPEUFUN2 FPEUFWMG FPEUFWMX FPEUFYDY FPEUFYD2
  FPEUFYLD FPEUFYST FPEUFYS2 FPEUIFCI FPEUIFC2 FPEUMSGS FPEVDB2F
  FPEVDB2I FPEVDB2S FPEVDB22 FPEVDB23 FPEVDB24 FPEVRACF
  

Fix information

• Fixed component name

  OM XE DB2PE/PM

• Fixed component ID

  5655OPE00

Applicable component levels

• R520 PSY UI37743

     UP16/05/12 P F605

• R530 PSY UI37744

     UP16/05/12 P F605

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.