DB2 z/OS v11 - Trusted Context Setup

Bill Gallagher

DB2 z/OS v11 - Trusted Context Setup
We are looking to use DB2 trusted context for the first time at my shop.

What we are trying to do is this: we want to restrict access to execute a DB2 stored procedure such that only specific ID's coming from a set of specific application servers can execute it.

We created the following trusted context:

CREATE TRUSTED CONTEXT KMLTCTR
BASED UPON CONNECTION USING SYSTEM AUTHID ID1234
DEFAULT ROLE KMLROLE
WITHOUT ROLE AS OBJECT OWNER
ENABLE
ATTRIBUTES (
ENCRYPTION 'NONE',
ADDRESS 'DNS-NAME-1.MYCOMPANY.NET,
ADDRESS 'DNS-NAME-2.MYCOMPANY.NET '
)
WITH USE FOR
ID1234
WITHOUT AUTHENTICATION ;

This works for authid ID1234. We're trying to figure out how to enable this for multiple ID's to use, e.g. also for ID2345, ID3456, etc. But the documentation is confusing to us.

Can anybody clarify how to set up a single trusted context that we can use for multiple DB2 authids?

Thanks!

Bill Gallagher | Senior Systems Engineer, DBA | Data Administration
________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201

Bill Gallagher

DB2 z/OS v11 - Trusted Context Setup
(in response to Bill Gallagher)
*** Asking this again since I received no responses when I first posted it a couple of weeks ago ***

We are looking to use DB2 trusted context for the first time at my shop.

What we are trying to do is this: we want to restrict access to execute a DB2 stored procedure such that only specific ID's coming from a set of specific application servers can execute it.

We created the following trusted context:

CREATE TRUSTED CONTEXT KMLTCTR
BASED UPON CONNECTION USING SYSTEM AUTHID ID1234
DEFAULT ROLE KMLROLE
WITHOUT ROLE AS OBJECT OWNER
ENABLE
ATTRIBUTES (
ENCRYPTION 'NONE',
ADDRESS 'DNS-NAME-1.MYCOMPANY.NET,
ADDRESS 'DNS-NAME-2.MYCOMPANY.NET '
)
WITH USE FOR
ID1234
WITHOUT AUTHENTICATION ;

This works for authid ID1234. We're trying to figure out how to enable this for multiple ID's to use, e.g. also for ID2345, ID3456, etc. But the documentation is confusing to us.

Can anybody clarify how to set up a single trusted context that we can use for multiple DB2 authids?

Thanks!

Bill Gallagher | Senior Systems Engineer, DBA | Data Administration

________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201

John Bucaria

DB2 z/OS v11 - Trusted Context Setup
(in response to Bill Gallagher)
Hi Bill,

I haven't attempted this but if you're using RACF for security, you should be able to create a secondary authorization ID and place all of the primary IDs that need access to the procedure in it. Then specify the secondary auth ID in the trusted context.

From: Gallagher,Bill R <[login to unmask email]>
Sent: Wednesday, May 29, 2019 1:24 PM
To: [login to unmask email]
Subject: [DB2-L] - DB2 z/OS v11 - Trusted Context Setup

*** Asking this again since I received no responses when I first posted it a couple of weeks ago ***

We are looking to use DB2 trusted context for the first time at my shop.

What we are trying to do is this: we want to restrict access to execute a DB2 stored procedure such that only specific ID's coming from a set of specific application servers can execute it.

We created the following trusted context:

CREATE TRUSTED CONTEXT KMLTCTR
BASED UPON CONNECTION USING SYSTEM AUTHID ID1234
DEFAULT ROLE KMLROLE
WITHOUT ROLE AS OBJECT OWNER
ENABLE
ATTRIBUTES (
ENCRYPTION 'NONE',
ADDRESS 'DNS-NAME-1.MYCOMPANY.NET,
ADDRESS 'DNS-NAME-2.MYCOMPANY.NET '
)
WITH USE FOR
ID1234
WITHOUT AUTHENTICATION ;

This works for authid ID1234. We're trying to figure out how to enable this for multiple ID's to use, e.g. also for ID2345, ID3456, etc. But the documentation is confusing to us.

Can anybody clarify how to set up a single trusted context that we can use for multiple DB2 authids?

Thanks!

Bill Gallagher | Senior Systems Engineer, DBA | Data Administration

________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201
-----End Original Message-----

Paul Ogborne

DB2 z/OS v11 - Trusted Context Setup
(in response to Bill Gallagher)
Hi Bill,
In non-RACF controlled environments, I have just created separate trusted contexts although I didn't use the role feature as in your case.
If you are indeed using RACF/ACF2 security in Db2 then I would go with JohnB's suggestion.
Regards,Paul Ogborne


-----Original Message-----
From: Gallagher,Bill R <[login to unmask email]>
To: [login to unmask email] <[login to unmask email]>
Sent: Wed, 29 May 2019 18:24
Subject: [DB2-L] - DB2 z/OS v11 - Trusted Context Setup

&lt;!-- #yiv9400244562 _filtered #yiv9400244562 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9400244562 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} #yiv9400244562 #yiv9400244562 p.yiv9400244562MsoNormal, #yiv9400244562 li.yiv9400244562MsoNormal, #yiv9400244562 div.yiv9400244562MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", sans-serif;} #yiv9400244562 a:link, #yiv9400244562 span.yiv9400244562MsoHyperlink {color:#0563C1;text-decoration:underline;} #yiv9400244562 a:visited, #yiv9400244562 span.yiv9400244562MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;} #yiv9400244562 p.yiv9400244562msonormal0, #yiv9400244562 li.yiv9400244562msonormal0, #yiv9400244562 div.yiv9400244562msonormal0 {margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:"Calibri", sans-serif;} #yiv9400244562 span.yiv9400244562EmailStyle18 {font-family:"Calibri", sans-serif;color:windowtext;} #yiv9400244562 span.yiv9400244562EmailStyle21 {font-family:"Calibri", sans-serif;color:windowtext;} #yiv9400244562 .yiv9400244562MsoChpDefault {font-size:10.0pt;} _filtered #yiv9400244562 {margin:1.0in 1.0in 1.0in 1.0in;} #yiv9400244562 div.yiv9400244562WordSection1 {} --&gt;*** Asking this again since I received no responses when I first posted it a couple of weeks ago ***   We are looking to use DB2 trusted context for the first time at my shop.    What we are trying to do is this: we want to restrict access to execute a DB2 stored procedure such that only specific ID’s coming from a set of specific application servers can execute it.   We created the following trusted context:   CREATE TRUSTED CONTEXT  KMLTCTR   BASED UPON CONNECTION USING SYSTEM AUTHID  ID1234   DEFAULT ROLE KMLROLE     WITHOUT ROLE AS OBJECT OWNER     ENABLE   ATTRIBUTES (       ENCRYPTION 'NONE',    ADDRESS ‘DNS-NAME-1.MYCOMPANY.NET,    ADDRESS ‘DNS-NAME-2.MYCOMPANY.NET '    )   WITH USE FOR   ID1234     WITHOUT AUTHENTICATION     ;   This works for authid ID1234.  We’re trying to figure out how to enable this for multiple ID’s to use, e.g. also for ID2345, ID3456, etc.  But the documentation is confusing to us.

Can anybody clarify how to set up a single trusted context that we can use for multiple DB2 authids?   Thanks!   Bill Gallagher| Senior Systems Engineer, DBA| Data Administration   This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201
Site Links: View post online   View mailing list online   Start new thread via email   Unsubscribe from this mailing list   Manage your subscription  

This email has been sent to: [login to unmask email] has well-regarded tools for Fast Cloning, Buffer Pool Tuning, Log Analysis, TDM & more.
BCV4, BCV5, BPA4DB2, ULT4DB2... modern power tools to get the job done faster & easier than ever.
http://www.ESAIGroup.com/idug

Use of this email content is governed by the terms of service at:
http://www.idug.org/p/cm/ld/fid=2

Johnny Wilder

DB2 z/OS v11 - Trusted Context Setup
(in response to Paul Ogborne)
Will this not work?


CREATE TRUSTED CONTEXT KMLTCTR
BASED UPON CONNECTION USING SYSTEM AUTHID ID1234
DEFAULT ROLE KMLROLE
WITHOUT ROLE AS OBJECT OWNER
ENABLE
ATTRIBUTES (
ENCRYPTION 'NONE',
ADDRESS ‘DNS-NAME-1.MYCOMPANY.NET,
ADDRESS ‘DNS-NAME-2.MYCOMPANY.NET '
)
WITH USE FOR
ID1234, ID3456, ID4567, ID5678
WITHOUT AUTHENTICATION


Johnny Wilder | Lead Database Administrator
Motion Industries, Inc
1605 ALTON ROAD | BIRMINGHAM, AL 35210
Office: 205-951-6990 | Fax: 205-951-1185
[login to unmask email] | www.motionindustries.com http://www.motionindustries.com

This e-mail and any attachments may contain Motion Industries, Inc confidential information that is proprietary, privileged, and protected by applicable laws. If you have received this message in error and are not the intended recipient, you should not retain, distribute, disclose or use any of this information and you should destroy this e-mail, any attachments or copies therein forthwith. Please notify the sender immediately by e-mail if you have received this e-mail in error.
From: Paul Ogborne <[login to unmask email]>
Sent: Wednesday, May 29, 2019 2:18 PM
To: [login to unmask email]
Subject: [DB2-L] - RE: DB2 z/OS v11 - Trusted Context Setup

Hi Bill,

In non-RACF controlled environments, I have just created separate trusted contexts although I didn't use the role feature as in your case.

If you are indeed using RACF/ACF2 security in Db2 then I would go with JohnB's suggestion.

Regards,
Paul Ogborne

-----Original Message-----
From: Gallagher,Bill R <[login to unmask email]<mailto:[login to unmask email]>>
To: [login to unmask email]<mailto:[login to unmask email]> <[login to unmask email]<mailto:[login to unmask email]>>
Sent: Wed, 29 May 2019 18:24
Subject: [DB2-L] - DB2 z/OS v11 - Trusted Context Setup
*** Asking this again since I received no responses when I first posted it a couple of weeks ago ***

We are looking to use DB2 trusted context for the first time at my shop.

What we are trying to do is this: we want to restrict access to execute a DB2 stored procedure such that only specific ID’s coming from a set of specific application servers can execute it.

We created the following trusted context:

CREATE TRUSTED CONTEXT KMLTCTR
BASED UPON CONNECTION USING SYSTEM AUTHID ID1234
DEFAULT ROLE KMLROLE
WITHOUT ROLE AS OBJECT OWNER
ENABLE
ATTRIBUTES (
ENCRYPTION 'NONE',
ADDRESS ‘DNS-NAME-1.MYCOMPANY.NET,
ADDRESS ‘DNS-NAME-2.MYCOMPANY.NET '
)
WITH USE FOR
ID1234
WITHOUT AUTHENTICATION ;

This works for authid ID1234. We’re trying to figure out how to enable this for multiple ID’s to use, e.g. also for ID2345, ID3456, etc. But the documentation is confusing to us.

Can anybody clarify how to set up a single trusted context that we can use for multiple DB2 authids?

Thanks!

Bill Gallagher | Senior Systems Engineer, DBA | Data Administration

________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201
-----End Original Message-----