DB2 Server for VSE & VM: Control Center Operations Guide for VM

Appendix C. Password Support

Control Center supports the use of minidisk passwords for READ and MULTIPLE-WRITE links that a database machine may require during processing; (at startup, when running single user mode tools). Additionally, if READ passwords are required for the database production disk, password support can be granted to selected users and to the Control Center support machine.

If Data Restore has been enabled on your Control Center service machine, then a password file is required to provide the SQLDBA password to Data Restore and, if necessary, to support the Data Restore machine"s links to the database"s directory, log, data and archive disks.

If Data Restore will not be managed by Control Center then password support is an optional feature that is activated simply by establishing a special database password file on the managing Control Center service machine, and on the user and support machines if needed. No additional installation steps or changes in your system configuration are required. Support is deactivated by removing the password files from each userid/machine.
Note: If you are not using Data Restore, and if you are not using minidisk read/write passwords in your environment, or are using a security access product such as RACF, you should not activate the password support feature of Control Center.

Links Performed by Control Center

Control Center code executing on the database machine, support machine, and user/DBA machine only performs the dynamic links described below. In general, the database will only link to the database's production and service disks, and tape manager code.

Multiple-write (M) links to the database production disk are ONLY performed by the database and ONLY when executing SUM functions ADD, DELETE and COPY DBEXTENTS. NO WRITE links are performed.
Only the database links to the service disk (193). The service disk is ONLY linked in READ "RR" mode.
Only the database links to the tape manager code. The tape manager code disk is ONLY linked in READ (RR) mode.

The database will link "RR" to permanent disks owned by Support machines and user machines that are used for SUM dbspace reloads.

Note:

This link is eliminated with the Single User Mode DBSPACE Reorganization tool. It performs the entire reorganization on the database and requires the permanent disk to already be linked/accessed if used.

Control Center Service and Support machines, and users only link to the database production disk in READ (RR) mode. This only occurs when DBINIT is executed to initialize to a new database.
Control Center and database functions do NOT perform links to the Control Center code disk. Links to the Control Center code disk are performed in the VM Directory or the PROFILE EXEC.

The database will use userid and virtual address information contained in the database parms files and the SQLMSTR control file when linking to its production and service disks, and to the tape manager. Userids and addresses in the LINKPWDS file should match these values.

Password File Setup

To use the password link facility with a given database, you must create a file containing the minidisk owner ID (user ID), minidisk device address, and read and multi-write passwords of all minidisks that the database machine will potentially link to during processing (Control Center code disk, DB2 Server for VM production disk, or tape manager code disk). This file must be named dbmachid LINKPWDS, where dbmachid is the database machine ID, and be formatted as shown below.

Figure 244. Example SQLMACH LINKPWDS File. Columns 1-8 must contain the user ID of the minidisk owner. The other columns are free form with only a blank necessary between values. The values must be specified in the order shown.

userid cuu readpw multi-writepw userid cuu readpw multi-writepw userid cuu readpw multi-writepw

Figure 245. Example dbname LINKPWDS File

DYNAMT 187 readpw multi-writepw userid cuu readpw multi-writepw userid cuu readpw multi-writepw

This file must then be sent to the managing Control Center service machine, where it will automatically be received with filemode A0 for security reasons. A Control Center Administrator can later view the file by requesting the service machine to send a copy to their user ID. The commands for doing this are given below:

SQM (MSTRSRV
SQM CMS SENDFILE SQLMACH LINKPWDS A0 userid

where MSTRSRV is the service machine ID, SQLMACH is the database machine ID, and userid is the Administrator's ID.
Note:

The Control Center service machine needs a separate dbmachid LINKPWDS file for each database it manages.
The Control Center service machine also needs a file named mstrsrv LINKPWDS that contains the combined password information for all the databases it manages. The format of this file is the same as the individual dbmachineid LINKPWDS. Mstrsrv is the Control Center service machine ID.

READ Passwords on the Database Production Disk

Most Control Center functions invoke DBINIT (SQLINIT) which executes a READ (RR) link to a database production disk. This link is performed by the user or Control Center Support machine. For practical reasons, most VM systems do not require READ passwords for database production disks in order to ease access to the database.

If there are no passwords on the production disk or if the READ password is set to "ALL", then Control Center machines and users will not need their own password file.

If READ passwords ARE required on the production disk, then a separate LINKPWDS file will have to be created for every userid that will be executing Control Center code. These steps have to be done prior to using the system:

Create a LINKPWDS file named usermachid LINKPWDS A0, where usermachid is the userid of the person or Support machine that will be executing the Control Center code.
The usermachid LINKPWDS A0 file will contain the database userid, production minidisk address, and the READ password for every database that requires production disk passwords. The format is the same as the database LINKPWDS file.
Only the READ password is needed in the password file.
The usermachid LINKPWDS file will have to be placed on the A-disk of usermachid. If the file is sent to the Support machine using the CMS SENDFILE command, the file will automatically be received.

How it Works

At startup time, the database machine runs the DBSTART exec, which requests a copy of the LINKPWDS file from the service machine. The service machine responds by sending the proper LINKPWDS file, if it exists, to the database machine, where it is received to the A-disk. Then, when an exec runs on the database machine and tries to link to a disk (including the database code and service disks), the proper read and multiple-write passwords are extracted from the file and used in the LINK command. For all other users and Control Center machines, the LINKPWDS file must already exist on the userid's A-disk.

Password Support for Data Restore

If Data Restore functions are to be managed by the Control Center service machine, then a password file must be present on the Control Center service machine's 191 disk for each Data Restore machine. This password file will automatically be sent to the Data Restore machine before each Data Restore function is executed. The Data Restore machine's password file is required:

To supply the server password for the "SQLDBA" userid to the Data Restore SYSIN file during UNLOAD, RELOAD and SELECT operations,
To supply READ passwords, if necessary, to the Data Restore SYSIN file for UNLOAD, RELOAD, SELECT operations, .
To supply WRITE passwords, if necessary, to the Data Restore SYSIN file for BACKUP and RESTORE operations, and
To supply READ passwords, if necessary, to link to the database's archive disks.

Data Restore requires that the Data Restore machine have READ and WRITE access to all of the database's data, directory and log disks. Additionally, if the database performs log archives or full archives to disk, then Control Center support for Data Restore functions requires that the Data Restore machine have READ authority to the database's log archive and full archive disks. This link authority is in addition to any other password support required in the previous sections.

This set up is required:

All of a database's disks must have the same READ password. Different databases may have different passwords.
All of a database's disks must have the same WRITE and MULTI-WRITE password. Different databases may have different passwords.
The WRITE and MULTI-WRITE password must be the same on the same database.
If the database performs archives to disks, then the database must use the same CUU (virtual link) as the real address (link address) to link and access these disks. The CUU that is designated in the database TAPES file is recorded in the ARCHHIST file for the database when an archive completes. If a Data Restore TRANSLATE or RELOAD RECOVERY=Y is performed, the disk address recorded in the ARCHHIST file will be linked in order to read the archive.
The password file for the Data Restore machine is in addition to any password files you already use or require as described in previous sections.

Password File Setup for the Data Restore machine

One password file (LINKPWDS) will be required for each Data Restore machine. This file will contain password information about each database the Data Restore machine supports.

To use the password link facility with a given Data Restore machine, you must create a file named drmachid LINKPWDS, where drmachid is the Data Restore machine ID. The file should contain:

The database machine name, the label "DRF" and the read and write passwords for the database directory, data disks, log disks and archive disks. There should be only one "DRF" entry for each database.
The database machine name, the label "DBAPW" and database password (as recorded in SYSTEM.SYSUSERAUTH") for the userid "SQLDBA".
If passwords are required for links to other disks (Control Center code, database production, or tape manager code disk), additional entries must be added as described in the "Password File Setup" section.

An example of a formatted drmachid LINKPWDS file is shown below.

Figure 246. Example Data Restore machine LINKPWDS File. Columns 1-8 must contain the VM user ID of the database. The other columns are free form with only a blank necessary between values. The values must be specified in the order shown.

dbmach1 DRF readpw1 writepw1 dbmach1 DBAPW password1 dbmach2 DRF readpw2 writepw2 dbmach2 DBAPW password2 dbmach3 DRF readpw3 writepw3 dbmach3 DBAPW password3

SQM (MSTRSRV
SQM CMS SENDFILE SQLMACH LINKPWDS A0 userid

where MSTRSRV is the service machine ID, SQLMACH is the database machine ID, and userid is the Administrator's ID.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]