IBM Support

Configuration changes needed for IBM Spectrum Protect (formerly Tivoli Storage Manager) client versions starting with 7.1.8 and 8.1.2

Flashes (Alerts)


Abstract

Users of IBM Db2 with IBM Spectrum Protect client versions starting with 7.1.8 and 8.1.2 may need to make configuration changes.

Content

Configuration changes may be required for databases that are configured to use IBM Spectrum Protect client versions starting with 7.1.8 and 8.1.2 for the storage and retrieval of database backup images, load copy images, and transaction log files. Starting with 7.1.8 and 8.1.2 the trusted communications agent (TCA) is no longer available, and users must configure each Db2 instance as an authorized user with access to the node password as described here (https://ibm.co/2Jdx2Ht). When a Db2 database instance is configured as an authorized user each instance using the same database name must use a unique node name, and owners should no longer be specified using db2adutl GRANT USER” or “-fromnode” due to the changes in behavior.

 

When multiple Db2 database instances access the same node name you may experience the following changes in behavior.

 

Behavior:

Scenario A) Multiple Db2 database instances with identical database names and identical TSM NODENAME.
Considering the following example:
   - Db2 database-instance userid 'db2instA' with database name 'dbname1' and TSM NODENAME 'node1'.
   - Db2 database-instance userid 'db2instB' with database name 'dbname1' and TSM NODENAME 'node1'. 
Suppose that both databases are storing backup images and/or load copy images and/or log files. Note the following changes in behavior:

-- With the legacy TCA authentication model: 
The querying, manipulation, or extraction of objects (such as through the db2adutl tool, or a database restore or log file retrieval operation) from these databases will remain isolated from each other. 
For example, if database dbname1 from database-instance userid db2instA archives a log file with name 'S000001.LOG', and database with identical name dbname1 from database-instance userid db2instB archives a log file with identical name 'S000001.LOG', then a future log file retrieval operation from one database will always retrieve the log file which it archived, and never the log file of the same name that was archived by the other database.


-- With the authorized user authentication model: 
The querying, manipulation, or extraction of objects will not be isolated from each other (every user-host combination using the same TSM NODENAME will appear as the same owner, even though the database-instance userid's are different).
For example, if database dbname1 from database-instance userid db2instA archives a log file  with name 'S000001.LOG', and database with identical name dbname1 from database-instance userid db2instB archives a log file with identical name 'S000001.LOG', then a future log file retrieval operation from one database can retrieve the log file which was archived by the other database. This could cause a Restore, Rollforward or db2ReadLog (replication) operation to fail. (In such a failure scenario, contact IBM support for assistance with extracting and isolating the objects associated with the desired database).

 

Scenario B) Cross-node Recovery
Cross-node recovery refers to the intentional recovery of backup images and/or load copy images and/or retrieval of log files, which were generated by a different owner, node, or database.  This is commonly practiced when development/QA environments are synchronized from production environment backup images. Cross-node recovery is described in the Knowledge Center (https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db…).

In this configuration, suppose we have a database-instance userid 'instProd' with database name 'dbname1' and TSM NODENAME 'node1', and a database-instance userid 'instTest' with database name 'dbname1' and TSM NODENAME 'node2'. Note the following differences in behavior:

-- With the legacy TCA authorization model: 
After access is granted for database dbname1 on database-instance userid instTest to access the objects that were archived by database dbname1 on database-instance userid instProd (via the 'db2adut GRANT USER ....' operation), the database on instance instTest can query and extract the objects that were archived by the other database on instance instProd, as desired.

 

-- With the Authorized User authentication model: 
After access is granted for database dbname1 on database-instance instTest to access the objects that were archived by database dbname1 on database-instance instProd (via the 'db2adutl GRANT USER ....' operation), the database on instance instTest cannot query or extract the objects that were archived by the database on instance instProd. 



Configuration changes required to adopt the authorized user authentication model:

When implementing the authorized user authentication model, assure that the each Db2 instance is configured with a unique TSM NODENAME, to achieve isolation of database objects. (Refer to the Knowledge Center for details on configuring the TSM NODENAME: https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/client/r_opt_n…).


Scenario A) Multiple Db2 databases with identical database names and identical TSM NODENAME.
Configuring a unique TSM NODENAME for each database-instance will assure the isolation of database objects, no other changes are required.


Scenario B) Cross-node Recovery
With the authorized user authentication model:
To configure cross-node recovery, consider the following environment as an example:
    - Db2 database-instance userid 'instProd' with database name 'dbname1' on host 'hostProd'.
    - Db2 database-instance userid 'instTest' with database name 'dbname1' on host 'hostTest'.

-- With the legacy TCA authentication model, cross-node recovery would have been accomplished by allowing the instTest userid to access the objects of the instProd userid using the 'GRANT USER' option of the db2adutl command, and specifying the -fromnode and -fromowner options of the Restore command (or logarchopt1/vendoropt configuration parameters), as so:
     [hostProd] $  db2adutl GRANT USER instTest ON NODENAME hostTest FOR DB dbname1
     [hostTest]  $  db2 RESTORE DB dbname1 USE TSM OPTIONS "'-fromnode=hostProd -fromowner=instProd'" 

-- With the authorized user authentication model, access should instead be granted to all users of the specific TSM NODENAME using the 'GRANT ALL' option of the db2adutl command, and specifying the -fromnode option of the Restore command (or logarchopt1/vendoropt configuration parameters), as so:
     [hostProd] $  db2adutl GRANT ALL ON NODENAME hostTest FOR DB dbname1
     [hostTest]  $  db2 RESTORE DB dbname1 USE TSM OPTIONS "'-fromnode=hostProd'" 

(Note that, since the TSM NODENAME is unique for each database-instance, granting access to ALL users of the specified NODENAME, should only imply the single desired database-instance userid).

 

Prior to adopting the authorized user authentication model

When a new TSM NODENAME is configured for a database-instance, access to historic recovery objects (database backup images, load copy images, and transaction log files) that were stored in TSM using the original NODENAME may not be possible. Thus, any database operation requiring these historic objects will fail (such as restore, rollforward, rebuild).
Prior to configuring a new unique TSM NODENAME for a database-instance, consider granting access to objects stored for this database using the original NODENAME, by using the ‘db2adutl GRANT ALL ON NODENAME <new nodename> FOR DB <dbname>’ command, and utilizing the ‘-fromnode’ TSM option, as described in the “Scenario B) Cross-node Recovery” section of “Configuration changes required to adopt the authorized user authentication model:” directly above this paragraph.


Tip: The product now known as IBM Spectrum Protect was named IBM Tivoli® Storage Manager (TSM) in releases earlier than Version 7.1.3. To learn more about the rebranding transition, see technote 1963634.

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"Backup;Restore;TSM","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Product Synonym

Db2; TSM

Document Information

Modified date:
22 August 2018

UID

ibm10715763