Skip to main content

PK08344: ADD COMMON CRITERIA PARAMETER FOR DB2 V8

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • A new parameter is added to the DSN6SPRM macro, COMCRIT, to
the Common Criteria environment.
When this parameter is set, all tables created must have
security.  This parameter can be changed online.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of DB2 UDB for z/OS Version 8 in   *
*                 new-function mode who wish to enable a       *
*                 Common Criteria environment for DB2 are      *
*                 affected by this change.                     *
****************************************************************
* PROBLEM DESCRIPTION: Add support for establishing a Common   *
*                      Criteria environment in DB2 UDB for     *
*                      z/OS Version 8.                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
This APAR introduces optional functionality that allows you to
establish a Common Criteria-compliant environment in DB2 UDB for
z/OS Version 8.  Common Criteria is an international standard
that helps to ensure the security of computer systems in a
network environment.  A Common Criteria-compliant environment
is very restrictive and is not intended for use by most DB2
customers.
.
The Common Criteria environment in DB2 is disabled by default.
Do not enable the Common Criteria environment unless all
existing work on DB2 can support multilevel security.
Multilevel security is a security policy that allows the
classification of data and users based on a system of
hierarchical security levels combined with a system of non-
hierarchical security categories.  For general information about
multilevel security and using multilevel security with the
Common Criteria, see "z/OS Planning for Multilevel Security and
the Common Criteria" (GA22-7509). See the DB2 V8 Administration
Guide for information on how to implement and use multilevel
security in DB2.
.
New system parameter: COMCRIT
-----------------------------
A new system parameter called COMCRIT allows you to activate the
Common Criteria environment.  COMCRIT is online-updateable and
can be set to NO or YES:
- NO is the default value. A value of NO results in compatible
  behavior and does not change the current operation of DB2.
- YES activates the Common Criteria environment and requires
  every new table that is created to have a security label
  column, which enables multilevel security.  If the AS SECURITY
  LABEL clause is missing from a CREATE TABLE statement, DB2
  issues an error and the table is not created.  Existing tables
  are not affected. Use the same value of COMCRIT for all
  members of a DB2 data sharing system.
.
Attention: Setting the value of COMCRIT to YES will cause some
      of the current DB2 installation and migration processes to
      fail.  A value of YES for COMCRIT can also affect
      installation, configuration, and use of other software
      products that require DB2.  See the description below of
      SQL restrictions that apply when DB2 operates in the
      Common Criteria environment.  Run all DB2 installation
      jobs that create user-managed tables before enabling the
      Common Criteria environment.  Once the environment is in
      effect, if you encounter errors when processing DB2-
      supplied DDL or other DDL, change the value of COMCRIT to
      NO to process the DDL or modify the DDL by adding security
      label columns to the DDL tables.
.
SQL restrictions:
-----------------
When DB2 is started in a Common Criteria environment, DB2 issues
the new SQLCODE -4708 under the following circumstances:
* Whenever a CREATE TABLE statement does not include a column
  with the AS SECURITY LABEL clause.  Every normal base table
  must include a security label column in a Common Criteria
  environment.
* Whenever a CREATE or ALTER TABLE statement attempts to define
  a materialized query table.  You cannot define materialized
  query tables in a Common Criteria environment.
* Whenever the LIKE or AS (fullselect) clauses are specified as
  part of a CREATE TABLE or DECLARE GLOBAL TEMPORARY TABLE
  statement.  These clauses are not supported in a Common
  Criteria environment.
.
Enabling the Common Criteria environment
----------------------------------------
To enable the Common Criteria environment, update your DB2 V8
system parameter (DSNZxxx) module as follows:
(1) Verify that all existing work on DB2 can support multilevel
    security and complies with the SQL restrictions that are
    described above.
        Important: If DB2 does not support multilevel security
        or does not comply with the SQL restrictions that are
        described above, do not proceed.
(2) Edit your customized copy of DSNTIJUZ.
(3) Add COMCRIT=YES to the DSN6SPRM parameter list.
(4) Run DSNTIJUZ to regenerate your DB2 system parameter
    (DSNZPxxx) module.
(5) Run the SET SYSPARM command or stop and start DB2 to make
    the change effective.
(6) To facilitate migration to future DB2 releases, update the
    COMCRIT entry in your private DSNTIDxx members for V8 to
    indicate that the setting is YES.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK08344
    • 

  • Reported component name
    5740 IBM DATABA
    • 

  • Reported component ID
    5740XYR00
    • 

  • Reported release
    810
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function
    • 

  • Submitted date
    2005-07-04
    • 

  • Closed date
    2006-02-02
    • 

  • Last modified date
    2006-03-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK11425
    

    • 



Modules/Macros


    

  • DSN@ZP   DSNDQWPZ DSNDSPRM DSNTIAM  DSNTIA1
DSNTIDXA DSNTIJUZ DSNTINST DSNWZP   DSNXESQL DSNXIATB DSNXICTB
DSNXIDCL DSNXSRC  DSN6SPRM

    




Publications Referenced


SC18741302GC18960300GC18741803SC18742502SC18742602





Fix information


    

  • Fixed component name
    5740 IBM DATABA
    • 

  • Fixed component ID
    5740XYR00
    • 



Applicable component levels


    

  • R810  PSY  UK11425
       UP06/02/18  P  F602
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Data Management
Data Servers (Database Management Systems)
DB2 for z/OS

		
		

		
			
Software version:

			
810

			

		

		

		
			
Reference #:

			

		PK08344
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2006-03-01

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices