A fix is available
APAR status
Closed as new function.
Error description
New UDF generating random values
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All IBM InfoSphere Guardium Data Encryption * * for DB2 and IMS Databases Version 1 Release * * 2 users. * **************************************************************** * PROBLEM DESCRIPTION: UDF to generate random values using * * ICSF function (PI44506) * **************************************************************** * RECOMMENDATION: * **************************************************************** A UDF for example named TRUE_RANDOM should be created as part of InfoSphere Guardium Data Encryption for DB2 or as general DB2 function. This UDF doesn't have any input argument. It returns a 16 byte random value produced by the ICSF function CSNBRNGL as the function result. The keyword "RANDOM" should be provided as a parameter to the ICSF call. The datatype of the function result should be the same as the one being require by the encryption UDF for the ICV to avoid CAST operations. A possible extension of the function would be that the length of the required random number in bytes could be provided as an input parameter. This would allow more flexible use, not only for the current encryption UDFs, which always need 16-byte ICV. Use case: The use of the function in an insert or update statement which affects several rows should create an individual random number for each processed row used for the ICV of the encryption UDF. If the function is used several times in one SQL statement it should return different random numbers on each occurrence and for each processed row. Business justification: The new encryption UDF requires to specify a ICV. The most secure way to use the encryption UDF is to provide a true random value for this ICV per row. To provide a UDF as part of the InfoSphere Data Encryption Tool for DB2 would give the customer the highest flexibilty and acceptance.
Problem conclusion
Temporary fix
Comments
1. After successful SMP/E apply, the Module DECENURN is introduced. This is a Random Number Generator UDF. 2. After successful SMP/E apply, the samplib member DECDB2UD is updated. It now allows link for DECENURN, as well as DECENU00, DECENUI0, and DECENUP0. 3. After successful SMP/E apply, the samplib Member DECUXUDF is introduced. This member contains SQL statements and descriptions that demonstrate and describe the usage of the DECENURN and DECENUI0 UDFs. DECUXUDF is provided in order to demonstrate how to use of the DB2 UDFs provided by Encryption Tool. The SQL contained is intended to provide a functioning example for: -creating the DB2 functions for invoking the UDF -inserting rows containing encrypted column values -select rows, decrypting column values -updating existing rows, encrypting a previously non-encrypted column (for migration). -using DECENURN in conjunction with DECENUI0 in order to generate a unique ICV per row. This SQL is intended to serve as a basis for your own use. If desired, the sample SQL can be run without modification, with one exception: Instances of "INFOSPHERE GUARDIUM DATA ENCRYPTION ENCRYPTED KEY" should be replaced with the cryptographic key label that was built by your security analyst. 4. If Customer wishes to use the new DECENURN UDF, then proceed to step 5., else stop here. 5. Post SMP/E apply, If Customer wishes to use the new DECENURN UDF, Customer should execute the updated samplib member, DECDB2UD, to link the new Module DECENURN. 6. After successful linking of the DEC V1.2 DECENURN Module, for this APAR, Customer should do either of the following actions: a. Determine if the .SDSNEXIT library, for the DB2 Subsystem where DEC V1.2 is used, is in the System Linklist concatenation. If so, issue the LLA Refresh command on that System LPAR. This will allow Customer to use the updated code, without need to Cycle the DB2 Subsystem. b. If the .SDSNEXIT library, for the DB2 Subsystem where DEC V1.2 is used, is not in the System Linklist concatenation, Customer will need to Cycle the DB2 Subsystem, in order to use the updated code.
APAR Information
APAR number
PI44506
Reported component name
DATA ENCRYPTION
Reported component ID
5655P0300
Reported release
120
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2015-07-07
Closed date
2015-10-19
Last modified date
2015-11-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI32163
Modules/Macros
DECDB2UD DECENURN DECUXUDF H29F120J
Fix information
Fixed component name
DATA ENCRYPTION
Fixed component ID
5655P0300
Applicable component levels
R120 PSY UI32163
UP15/10/23 P F510
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.2.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 November 2015