Previous Topic: Test PERMITs Using TSSSIM (optional)Next Topic: Troubleshooting

Using the Conversion Utility

Using the Conversion Utility

If you use native DB2 security, using the CA Top Secret Option for DB2 Conversion Utility simplifies the initial CA Top Secret Option for DB2 administration for DB2 resources. This utility procedure converts SQL GRANT entries, located in the DB2 catalog, into TSS ADDTO and TSS PERMIT commands. Note that, we recommend you run the conversion utility to create your first set of TSS commands for DB2 resource authorizations. These converted commands will provide a base for writing subsequent commands.

Once the process is underway, you should:

Before running the conversion utility, ensure that the following procedures have been met:

To convert DB2 GRANTS to CA Top Secret Option for DB2 authorities, follow these steps:

This section contains the following topics:

Step 1: Allocate Data Sets for the Conversion Programs

Step 2: Unload the DB2 GRANT Data

Step 3: Convert the DB2 GRANT Catalog Entries into CA Top Secret Option for DB2 Commands

Step 4: Customize the CA Top Secret Option for DB2 Commands Output File

Step 5: Execute the TSS Commands

Step 1: Allocate Data Sets for the Conversion Programs

The CNVALLOC member allocates data sets used by the conversion programs. Edit the JCL to conform to your installation's standards. Depending on the amount of DB2 GRANT information in the DB2 catalog, you might have to increase the size of the SPACE parameters in the JCL. Submit the job and review the output.

Step 2: Unload the DB2 GRANT Data

The CNVGRANT member unloads the DB2 GRANT data from the DB2 catalog and saves it in a partitioned data set (PDS) for use by the conversion program in the next step. Edit the JCL to conform to your installation's standards. Submit the job and review the output. If the job fails because the output file is too small, restart the job after increasing the SPACE allocation in the allocation step.

Step 3: Convert the DB2 GRANT Catalog Entries into CA Top Secret Option for DB2 Commands

The CNV2TSS member converts the DB2 GRANT data from each of the PDS members created in the unload step. Edit the JCL to conform to your installation's standards. The ADD= keyword in the PARM field requires that you supply the name of the ACID that is assigned ownership of the DB2SYS resource authorities: SYSADM, SYSOPR, etc.. The FAC= keyword in the PARM field lets you specify the name of the facility to which the newly generated PERMIT statements are restricted. For example, if all of the converted GRANTs are to be restricted to the DB2PROD facility, you would code FAC=DB2PROD.

If the converted GRANTs are to be applied to ALL facilities, do not specify a value for the FAC= field, or omit the FAC= field entirely. Submit the job and review the output.

Step 4: Customize the CA Top Secret Option for DB2 Commands Output File

At this point, the TSS commands output file from Step 3 can be edited in order to assign ownership to validly existing departments and to change accesses. For example, to add date and time constraints on PERMIT commands or to change ACIDs that were used for secondary authorization IDs in native DB2 to validly existing profiles.

Step 5: Execute the TSS Commands

The CNVEXEC member executes the TSS commands using BATCH TMP. Edit the JCL to conform to your installation's standards. Submit the job and review the output. You might want to break this job up into smaller jobs for easier control and review.