Subsystem Access

Whether a process can gain access to a specific DB2 subsystem can be controlled outside of DB2. A common procedure is to grant access only through RACF or a similar security system. DB2 address spaces and profiles for access to DB2 from various environments are defined as resources to RACF. These profiles are identified by the subsystem and the environment. Environments include

  • MASS for IMS

  • SASS for CICS

  • DIST for DDF


  • BATCH for TSO, CAF, utilities, DB2 SPAS

Each request to access DB2 is associated with an ID. RACF checks that the ID is authorized for DB2 resources and permits or refuses access to DB2. The RACF system provides several advantages of its own. For example, RACF can

  • Identify and verify the identifier associated with a process

  • Connect those identifiers to RACF group names

  • Log and report unauthorized attempts to access protected resources

Local DB2 Access

A local DB2 user is subject to several checks even before reaching DB2. For example, if you are running a program that accesses DB2 under TSO and using the TSO log-on ID as the DB2 primary authorization ID, that ID was verified with a password when the user logged on to TSO. When the user gains access to DB2, a user-written or IBM-supplied exit routine called by DB2 can check the authorization ID further, change it, and associate it with secondary IDs. In providing these services, DB2 can use the services of an external security system.

Remote Access

A remote user is also subject to several checks before reaching your DB2 subsystem. You can use RACF or a similar security subsystem to control access from remote subsystems and clients.

RACF also provides the ability to

  • Verify an identifier associated with a remote attachment request and check it with a password.

  • Generate Pass Tickets on the sending side. PassTickets can be used instead of passwords. A PassTicket lets a user gain access to a host system without sending the RACF password across the network.


DB2's communications database does allow some control of authentication in that you can cause IDs to be translated before sending them to the remote system. For more information about accessing DB2 and the CDB, refer to Chapter 2.

IMS and CICS Security

Access to DB2 can also be controlled from within IMS or CICS.

  • IMS terminal security lets you limit the entry of a transaction code to a particular logical terminal (LTERM) or group of LTERMs in the system. To protect a particular program, you can authorize a transaction code to be entered only from any terminal on a list of LTERMs. Alternatively, you can associate each LTERM with a list of the transaction codes that a user can enter from that LTERM. IMS then passes the validated LTERM name to DB2 as the initial primary authorization ID. IMS can also use RACF or another security product for identification and authentication. LTERM usage is less popular.

  • CICS transaction code security works with RACF to control the transactions and programs that can access DB2. Within DB2, you can use the ENABLE and DISABLE options of the bind operation to limit package access to specific CICS subsystems.

Kerberos Security

Kerberos security is a network security technology developed at the Massachusetts Institute of Technology. DB2 for z/OS can use Kerberos security services to authenticate remote users. With Kerberos security services, remote end users access DB2 when they issue their Kerberos name and password. This same name and password are used for access thoughout the network, so a separate MVS password to access DB2 is not necessary.

The Kerberos security technology does not require passwords to flow in readable text, making it secure even in client/server environments. This flexibility is possible because Kerberos uses an authentication technology that encrypts tickets that contain authentication information for the end user.

DB2 support for Kerberos security requires RACF or the functional equivalent. The Network Authentication and Privacy Service provides Kerberos support and relies on a security product, such as RACF, to provide registry support.


You can use Kerberos security only if you have RACF.

DB2 for z. OS Version 8 DBA Certification Guide
DB2 for z/OS Version 8 DBA Certification Guide
ISBN: 0131491202
EAN: 2147483647
Year: 2003
Pages: 175
Authors: Susan Lawson © 2008-2017.
If you may any questions please contact us: