RO88618 and relink of [email protected]
Article ID: 242730
Updated On:
Products
Issue/Introduction
The following are the steps documented in RO88618 to perform after the apply of the fix:
**************************
* STEPS TO PERFORM *
**************************
1.- LLA Refresh
2.- Run CADBJCL0(DB13XAC) to Relink [email protected] for Top Secret.
3.- Restart the DB2 address space
However, the module in SDSNEXIT has never been compiled previously so, is it mandatory to Run CADBJCL0(DB13XAC) to Relink [email protected]?
Environment
Release : 16.0
Component : Top Secret Option for DB2
Resolution
The instructions to Link Edit the CADb2XAC Exit are at the following link:
This step is optional so if you did not run it in the past to replace the original version of the [email protected] module it is not necessary to run the job again as explained in RO88618.
However, having said that, it is recommended to run the DB13XAC job to replace the original [email protected] module with the version provided by Broadcom.
Running the DB13XAC job puts in a TSS DB2 security exit. This is the exit that ENF/DB2 hooks and will never actually have its code executed if Top Secret and ENF have been normally started on the system. But if for some reason something goes wrong, then the TSS exit will run if present. The TSS exit will give a return code to DB2, when the first authority check comes along, that tells DB2 to shutdown. Without these exits in place, DB2 would use native internal security, which would allow users to potentially gain access to DB2 objects that they should not have access to.
The longer your site has been running TSS/DB2, the more likely that your internal DB2 security is “behind the times” and could possibly allow access to data that should not be allowed access to if Top Secret or ENF are not properly started ahead of DB2.
You should consider implementing this exit.
However, if you decide not to implement it then you can apply RO88618 without running the step to relink [email protected]
Feedback
