Implementing Security for Non-CA Products › DB2 › DB2 Support

DB2 Support

CA Top Secret r 4.4 and above supports DB2 Version 2 SQL for Secondary Authorization IDs. Secondary Authorization IDs are defined to CA Top Secret through the IBMGROUP resource. At logon, CA Top Secret automatically builds a list of authorized IBMGROUPs for use by DB2. Since this list is built at logon, access qualifiers such as time of day and day of week are only validated at that time. The list of IBMGROUPs is not refreshed until the next logon.

Note: The CA Top Secret DB2 exits provided in r 4.2 of CA Top Secret are no longer necessary. The DB2 authorization exits (DSN3@ATH and DSN3@SGN) provided by IBM, however, are.

Connecting to DB2 With CICS

In a CICS environment, the value of the primary AUTHID is dependent on how the AUTH= parameter is coded in the CICS RCT. There are several valid parameters for AUTH=; the most important ones are described below.

AUTH=GROUP

Uses the signon CICS userid as the primary AUTHID. A signon is not driven for this event. This performs the same function as AUTH=USERID with the added benefit of improved performance.

AUTH=USERID

Uses the signon CICS userid as the primary AUTHID. A signon is driven for this event even though the userid is already signed on to CICS.

AUTH='acidname'

Uses the acidname as the primary AUTHID. A signon is driven if the acidname is a valid CA Top Secret ACID with access to the CICS facility being used.

AUTH=TXID

Uses the CICS transaction name as the primary AUTHID. A signon is driven if the primary AUTHID and the transaction name are valid CA Top Secret ACIDs with access to the CICS facility being used.

CA Top Secret IMS ACEE Locater Subroutine

The DB2 DSN3@SGN exit looks at the ACEE to determine the groups that are used as the DB2 Secondary Authorization IDs. In an IMS environment, if the ACEE is not available, the exit issues a RACROUTE REQUEST=VERIFY,ENVIR=CREATE call to obtain the ACEE. These RACROUTE calls can produce a great deal of overhead.

CA Top Secret /MVS provides a subroutine, TSS3@LOC, to locate the ACEE of an IMS user. By using this subroutine, called by the DSN3@SGN exit, you can locate the ACEE of an IMS user without resorting to a RACROUTE call.

To use the subroutine, the following conditions must exist:

• You must modify RACF SAMPLE version of the DSN3@SGN exit to call this subroutine.

  Note: The subroutine can be called in all environments by the DB2 DSN3@SGN exit, but only returns the ACEE in an IMS MPP or BMP environment.

• CA Top Secret MVS must be running in the IMS environment, with ISIS=1 specified in the control region.

The following entry conditions apply:

• TSS3@LOC must be entered with standard linkage conventions, namely:
  • R13
  • Address of an available save area
  • R14
  • Return address
  • R15
  • Entry address
• The subroutine is entered in the same state and mode as the DB2 DSN3@SGN exit, currently:
  • Supervisor state
  • Key 7
  • AMODE 31
• At entry, R1 must point to a parameter list. The format of the parameter list is:
  • Address of DB2 EXPL control block
  • Address of DB2 AIDL control block
  • Address of work area (optional)
  • Length of work area passed (optional)

  If the optional parameters are not included or if 0 is not specified, the program performs a GETMAIN/FREEMAIN for its work area.

The following exit conditions apply:

R15

Return code from the subroutine

0

ACEE found and returned in R1

4

ACEE not found; caller must issue RACROUTE REQUEST=VERIFY,ENVIR=CREATE

8

Unsupported environment (not MPP/BMP with CA Top Secret )

16

Subroutine encountered logic error

R1

Address of ACEE if R15=0. If R15 does not equal 0, R1 will contain a 0.