Db2 Security Exit Configuration for PDS
Customize the Db2 security exit to allow the Adapter for Db2 to run with user-level security enabled. If you do so, users will connect to Db2 with the authorization of the user ID with which they logged on to the server. The server must also be running with security turned on.
If you do not customize the Db2 security exit, all users will be assigned the connection ID to Db2 that is associated with the region, job submitter, or started task.
For the Adapter for Db2 CLI, the connection to Db2 must be configured as trusted for the exit to be invoked.
The changes that must be made to the IBM Db2 sign-on exit, DSN3SATH, differ for RACF and eTrust CA-Top Secret sites and eTrust CA-ACF2 sites.
An example of each is shown in the following sections.
The highlighted text and comments shown in the examples indicate the lines containing the recommended modification of DSN3SATH, which calls the module FOCDSN3, the supplied exit.
After you finish the edits, assemble the exit into an object file. This object file is input to the link JCL found in one of the examples that follow.
Note:
- The positioning of these lines is approximate, assuming that no other changes or additions have already been made to DSN3SATH. If any changes have been made, you should decide on the most appropriate location for this call to FOCDSN3.
- FOCDSN3 is used to set the proper primary (individual user ID) authorization.
- Another program, FOCDSN4, is used to set the proper secondary (group ID) authorization for RACF and eTrust CA-Top Secret. FOCDSN4 is not needed with eTrust CA-ACF2. The secondary authorization ID(s) will be set correctly without it.
Changing DSN3SATH for RACF and eTrust CA-Top Secret Sites
1. Search for the SATH001 label - add two lines (FOCDSN3):
SATH001 DS 0H
USING WORKAREA,R11 ESTABLISH DATA AREA ADDRESSABILITY
ST R2,FREMFLAG SAVE FREEMAIN INDICATOR
XC SAVEAREA(72),SAVEAREA CLEAR REGISTER SAVE AREA
.
.
.
*********SECTION 1: DETERMINE THE PRIMARY AUTHORIZATION ID ************
* *
* IF THE INPUT AUTHID IS NULL OR BLANKS, CHANGE IT TO THE AUTHID *
* IN EITHER THE JCT OR THE FIELD POINTED TO BY ASCBJBNS. *
* THE CODE IN THIS SECTION IS AN ASSEMBLER LANGUAGE VERSION OF *
* THE DEFAULT IDENTIFY AUTHORIZATION EXIT. IT IS EXECUTED ONLY *
* IF THE FIELD ASXBUSER IS NULL UPON RETURN FROM THE RACROUTE *
* SERVICE. FOR EXAMPLE, IT DETERMINES THE PRIMARY AUTH ID FOR *
* ENVIRONMENTS WITH NO SECURITY SYSTEM INSTALLED AND ACTIVE. *
* *
*************************************************************************
SPACE
LA R1,AIDLPRIM LOAD PARM REG1 <--ADD
CALL FOCDSN3 GO GET THE IBI EXIT <--ADD
CLI AIDLPRIM,BLANK IS THE INPUT PRIMARY AUTHID NULL
BH SATH020 SKIP IF A PRIMARY AUTH ID EXISTS
2. Search for the SATH020 label - add a comment box, add one line, and comment out four lines:
SATH020 DS 0H BRANCH TO HERE IF PRIMARY EXISTS
*****OPTIONAL CHANGE @CHAR7: FALLBACK TO SEVEN CHAR PRIMARY AUTHID***
* *
* IF YOUR INSTALLATION REQUIRES ONLY SEVEN CHARACTER PRIMARY *
* AUTHORIZATION IDS (POSSIBLY TRUNCATED) DUE TO DB2 PRIVILEGES *
* GRANTED TO TRUNCATED AUTHORIZATION IDS, THEN YOU MUST BLANK OUT *
* COLUMN 1 OF THE ASSEMBLER STATEMENT IMMEDIATELY FOLLOWING THIS *
* BLOCK COMMENT. THEN ASSEMBLE THIS PROGRAM AND LINK-EDIT IT INTO *
* THE APPROPRIATE DB2 LOAD LIBRARY AS EXPLAINED IN AN APPENDIX *
* OF "THE DB2 ADMINISTRATION GUIDE". *
* *
* OTHERWISE, YOU NEED DO NOTHING. *
* @KYD0271*
**********************************************************************
* MVI AIDLPRIM+7,BLANK BLANK OUT EIGHTH CHARACTER
SPACE
.
.
.
* RACF IS ACTIVE ON THIS MVS
****************************************************************** <--ADD
* * <--ADD
* The logic was modified because in DB2 V8 AIDLACEE is always not* <--ADD
* NULL. We used to honor AIDLACEE first, FOCDSN4 second and then * <--ADD
* AS ACEE. Now we honor FOCDSN4 first, AIDLACEE second and then * <--ADD
* AS ACEE. * <--ADD
* * <--ADD
* 03/11/05 ASK0 * <--ADD
****************************************************************** <--ADD
USING ACEE,R6 ESTABLISH BASE FOR ACEE @KYL0108
L R6,AIDLACEE Get => caller ACEE if any <--ADD
* ICM R6,B'1111',AIDLACEE CALLER PASSED ACEE ADDRESS? @KYL0108 <-COMMENT
* BZ SATH024 NO, USE ADDRESS SPACE ACEE @KYL0108 <-COMMENT
* CLC ACEEACEE,EYEACEE IS IT REALLY AN ACEE? @KYL0108 <-COMMENT
* BE SATH027 YES, PROCEED NORMALLY @KYL0108 <-COMMENT
SPACE 1
SATH024 DS 0H USE ADDRESS SPACE ACEE @KYL0108
.
.
.
3. Search for the SATH025 label - replace sath025 and add sath026 (FOCDSN4):
SATH025 DS 0H
CALL FOCDSN4 GO GET THE IBI EXIT (4=GROUP AUTH) <--ADD
LTR R6,R6 DOES AN ACEE EXIST? IF NOT, <--ADD
BZ SATH026 CHECK ACEE IN ADDRESS SPACE <--ADD
CLC ACEEACEE,EYEACEE DOES IT LOOK LIKE AN ACEE? <--ADD
BE SATH027 YES, GO DO GROUPS <--ADD
SATH026 DS 0H <--ADD
.
.
.SATH027 DS 0H CHECK LIST OF GROUPS OPTION
TM RCVTOPTX,RCVTLGRP IS LIST OF GROUPS CHECKING ACTIVE
BZ SATH040 SKIP TO SINGLE GROUP COPY IF NOT
DROP R7 DROP RCVT BASE REG
SPACE 1
* RACF LIST OF GROUPS OPTION IS ACTIVE
EJECT
.
.
.
Changing DSN3SATH for eTrust CA-ACF2 Sites
*DSN3SATH source is provided by ACF2.
1. Search for PRIMARY AUTHORIZATION ID - add two lines (FOCDSN3):
*****************************************************************
* *
* PRIMARY AUTHORIZATION ID *
* *
*****************************************************************
* *
* IF THE PRIMARY AUTHORIZATION ID IS NULL OR BLANKS *
* IF CA-ACF2 IS AVAILABLE *
* SET PRIMARY ID FROM ACFASVT (ASVLID) *
* ELSE *
* IF TSO FOREGROUND USER *
* SET PRIMARY ID FROM TSO LOGON ID (ASCBJBNS) *
* ELSE *
* SET PRIMARY ID FROM JOB USER (JCTUSER) *
* *
*****************************************************************
SPACE 2 04260000
LA R1,AIDLPRIM LOAD PARM REG1 <--ADD
CALL FOCDSN3 GO GET THE IBI EXIT <--ADD
CLI AIDLPRIM,C' ' PRIMARY AUTHID THERE ? 04270000
BH PRIMWTO ..YES, EVERYTHINGS OK HERE 04280000
L R3,PSAAOLD-PSA(0) CURRENT ASCB ADDRESS 04290000
USING ASCB,R3 ASCB ADDRESSABILITY 04300000
SPACE 2 04310000
Modifying the Link JCL for DSN3SATH
This is a sample link JCL for the IBM exit DSN3SATH. Modify the JCL to link the modules into the Db2 security exit as follows.
//LKED EXEC PGM=IEWL,PARM='LIST,XREF,LET,RENT,AMODE=31' //OBJECT DD DSN=db2pref.SDSNSAMP.OBJ,DISP=SHR <--OUTPUT OF ASSEMBLE STEP //EDAMOD DD DSN=high_level_qualifier.HOME.LOAD,DISP=SHR //SYSLMOD DD DSN=db2pref.DSNEXIT,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSUT1 DD UNIT=SYSDA,SPACE=(100,(50,50)) //SYSLIN DD * INCLUDE EDAMOD(FOCDSN3) *********************************************************************** *** Omit the following line for eTrust CA-ACF2 *********************************************************************** INCLUDE EDAMOD(FOCDSN4) ENTRY DSN3@ATH NAME DSN3@ATH(R) /*
where:
Is the prefix for the Db2 data sets.
Is the high-level qualifier for the data sets.
After this job finishes successfully, you must recycle the Db2 subsystem in order for the changes to take effect.