A fix is available
APAR status
Closed as new function.
Error description
This APAR adds DSN1SMFP, a reporting tool that customers who run DB2 in a Common Criteria environment can use to check the security-related settings and system activity.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of the Common Criteria-evaluated * * version of DB2 UDB for z/OS Version 8. * **************************************************************** * PROBLEM DESCRIPTION: This PTF provides a basic reporting * * tool that can be used to help evaluate * * and audit the Common Criteria environ- * * ment in DB2 UDB for z/OS Version 8. * **************************************************************** * RECOMMENDATION: * **************************************************************** This PTF introduces DSN1SMFP, a DB2-supplied application for processing DB2 trace data into reports that are useful for evaluating and auditing the DB2 environment for Common Criteria. It also adds a sample job called DSNTEJCC that shows how to call DSN1SMFP. . Customers other than Common Criteria should use other products, such as IBM Tivoli OMEGAMON XE for DB2 Performance Expert on z/OS for much more robust reporting. . Refer to DB2 for z/OS Version 8 "Requirements for the Common Criteria" manual for information about Common Criteria and how to establish a Common Criteria-compliant environment in DB2 UDB for z/OS Version 8. . ============== About DSN1SMFP ============== DSN1SMFP accepts one or more SMF data sets in standard SMF format and produces from one to sixteen reports. All SMF record types are accepted but only type 101 (DB2 Accounting) and 102 (DB2 Performance) records generated by the DB2 release level of DSN1SMFP and having one of the following DB2 IFCIDs are used: * 0003: Accounting - DDF Data by Location (security-relevant fields only) * 0004: Trace Start * 0005: Trace Stop * 0023: Utility Start * 0024: Utility Change * 0025: Utility End * 0106: System Parameters (security-relevant fields only) * 0140: Audit Authorization Failures * 0141: Audit DDL Grant/Revoke * 0142: Audit DDL Create/Alter/Drop * 0143: Audit First Write * 0144: Audit First Read * 0145: Audit DML Statement * 0350: SQL Statement . Each such trace type is extracted and outputted in report format to a dedicated DD for that trace type. The output DD name indicates the report source: For example, the report for each IFCID 0003 trace record is written to the IFCID003 DD, the report for each IFCID 0106 trace record is written to the IFCID106 DD, and so on. . DSN1SMFP accepts SMF records from any release of DB2 but uses only those for the release in which it ships. You cannot, for example, use V8 DSN1SMFP to report on a V9 DB2. . DSN1SMFP also counts and reports the following values in the end-of-job summary, which is written to the SYSPRINT DD: * Total SMF records read * Total SMF type 101 records * Total SMF type 102 records * Separate totals for IFCIDs 0003, 0004, 0005, 0023, 0024, 0025, 0106, 0140, 0141, 0142, 0143, 0144, 0145, 0350, and "other IFCID" records read * Separate totals for formatted IFCID 0003, 0004, 0005, 0023, 0024, 0025, 0106, 0140, 0141, 0142, 0143, 0144, 0145, and 0350 records written * Total formatted records written . The SYSPRINT DD is also the destination for diagnostic and warning messages generated by DSN1SMFP. . DSN1SMFP requires the following DD statements: * STEPLIB/JOBLIB (input) The STEPLIB or JOBLIB DD must specify both the SDSNEXIT and SDSNLOAD libraries unless both of these are available from the link list. The SDSNEXIT library needs to contain the DSNHDECP module used by the DB2 subsystem that generated the SMF records to be processed. * SMFINDD (input) The SMFINDD DD must specify one or more data sets that contain DB2 trace records in standard SMF format. All SMF records are acceptable but DSN1SMFP will select only SMF type 101 and 102 records that match its DB2 release level, and that have an IFCID type of 0003, 0004, 0005, 0023, 0024, 0025, 0106, 0140, 0141, 0142, 0143, 0144, 0145, or 0350. * IFCID003 (output) Contains the Accounting - DDF data by location reports, derived from security-related fields of the IFCID 0003 trace record. Only IFCID 0003 records that contain a distributed data facility statistics (DSNDQLAC) block are reported. One report is generated for each selected IFCID 0003 record. * IFCID004 (output) Contains the Trace Start reports, derived from the ICFID 0004 trace record. One report is generated for each selected IFCID 0004 record. * IFCID005 (output) Contains the Trace Stop reports, derived from the ICFID 0005 trace record. One report is generated for each selected IFCID 0005 record. * IFCID023 (output) Contains the Utility Start reports, derived from the ICFID 0023 trace record. One report is generated for each selected IFCID 0023 record. * IFCID024 (output) Contains the Utility Change reports, derived from the ICFID 0024 trace record. One report is generated for each selected IFCID 0024 record. * IFCID025 (output) Contains the Utility Stop reports, derived from the ICFID 0025 trace record. One report is generated for each selected IFCID 0025 record. * IFCID106 (output) Contains the System Parameters reports, derived from security-related fields of the IFCID 0106 trace record. One report is generated for each selected IFCID 0106 record, and each such report has four sections: * System Initialization Parameters * Miscellaneous Installation Parameters * Distributed Data Facility Parameters * Data Sharing Parameters * IFCID140 (output) Contains the Audit Authorization Failures reports, derived from the ICFID 0140 trace record. One report is generated for each selected IFCID 0140 record. * IFCID141 (output) Contains the Audit DDL GRANT/REVOKE reports, derived from the ICFID 0141 trace record. One report is generated for each selected IFCID 0141 record. * IFCID142 (output) Contains the Audit DDL CREATE/ALTER/DROP reports, derived from the ICFID 0142 trace record. One report is generated for each selected IFCID 0142 record. * IFCID143 (output) Contains the Audit First Write reports, derived from the ICFID 0143 trace record. One report is generated for each selected IFCID 0143 record. * IFCID144 (output) Contains the Audit First Read reports, derived from the ICFID 0144 trace record. One report is generated for each selected IFCID 0144 record. * IFCID145 (output) Contains the Audit DML Statements reports, derived from the ICFID 0145 trace record. One report is generated for each selected IFCID 0145 record. * IFCID350 (output) Contains the SQL statement reports, derived from the IFCID 0350 trace record. One report is generated for each selected IFCID 0350 record. * SYSPRINT (output) Contains the end of job summary of records read plus diagnostic messages for any DSN1SMFP processing exceptions. All messages are documented in the DB2 for z/OS Messages manual. . See the topic entitled "Additional information for the require- ments for the Common Criteria" in the DB2 for z/OS Version 8 "Requirements for the Common Criteria" manual for more information about reports generated by DSN1SMFP. . DSN1SMFP loads the local (site provided) DSNHDECP module to obtain the EBCDIC CCSID for conversion of Unicode-encoded trace data. When executing DSN1SMFP, ensure that it has access to the DSNHDECP module used by the DB2 subsystem that generated the SMF records to be processed. . The IFCID 0106 trace record also reports the CCSID settings used by DB2. When the IFCID 0106 EBCDIC CCSID setting conflicts with the DSNHDECP CCSID setting, DSN1SMFP issues a warning message (DSN1405I) and uses the setting from IFCID 0106 to convert any Unicode-encoded data in that record. For subsequent records (other than for IFCID 0106), DSNH1SMFP reverts to using the DSNHDECP setting. . ================ Running DSN1SMFP ================ DSN1SMFP loads the DSNHDECP module to obtain the EBCDIC CCSIDs to be used when converting Unicode-encoded trace data to EBCDIC format: To avoid conversion problems and possible contamination of output, ensure that DSN1SMFP can load the DSNHDECP module used by the DB2 subsystem that generated the SMF records to be processed. This module needs to reside in a library (typically prefix.SDSNEXIT) that is allocated ahead of prefix.SDSNLOAD in the JOBLIB DD, STEPLIB DD, or linklist concatenation. . DSN1SMFP is designed for execution in the z/OS batch process. It has no dependency on DB2 other than as a source of the SMF records and the DSNHDECP module. . . Output DDs can be allocated to a print device, a data set, or held output. . =================== Sample job DSNTEJCC =================== For convenience, sample job DSNTEJCC provides the basic JCL framework needed to execute DSN1SMFP. DSNTEJCC is not intended to be run as part of the DB2 Installation Verification Procedure (IVP). Note that DB2 does not provide sample SMF records. . See the DSNTEJCC prolog for directions on how to customize it for use at your site. . **************************************************************** ****************************************************************
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
PK34261
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
810
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2006-11-07
Closed date
2006-12-19
Last modified date
2007-01-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK20793
Modules/Macros
DSNTEJCC DSN1SMFP HDB8810J
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
R810 PSY UK20793
UP06/12/21 P F612
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
