Db2 Cert7011 PDF
Db2 Cert7011 PDF
Db2 Cert7011 PDF
20 May 2003
This tutorial introduces skills you must have to properly manage a DB2 server. This is
the first tutorial in a series of six that you can use to help prepare for the DB2 V8.1 for
Linux, UNIX, and Windows Database Administration Certification (Exam 701).
Section 1. Introduction
You do not need a copy of DB2 Universal Database to complete this tutorial.
However, you can download a free trial version of IBM DB2 Universal Database ¹
Enterprise Server Edition if you'd like.
Although not all materials discussed in the Family Fundamentals tutorial series are
required to understand the concepts described in this tutorial, you should at least
have a basic knowledge of:
A DB2 instance is a logical context in which DB2 commands and functions are
executed. You can think of an instance as a service or a daemon process that
manages access to database files. More than one instance can be defined on a
server machine. Each instance is independent of the others, meaning that all
instances can be managed, manipulated, and tuned separately.
db2icrt instance_name
In UNIX, you must also provide a user ID that will be used to create fenced
user-defined function and stored procedure processes, like so:
db2icrt -u fenced_user_ID
instance_name
To drop an instance, disconnect all database connections, and stop the instance,
issue this command:
db2idrop -f instance_name
db2ilist
db2imigr instance_name
When certain product options or fix patches are installed, existing DB2 instances
and their associated databases need access to new functions. Use this command to
update an instance:
db2iupdt instance_name
db2set -lr
Note that there are no spaces between the variable name, the equals sign, and the
variable value. Here's an example:
db2set DB2COMM=TCPIP,APPC
To reset a DB2 profile registry to its default value, simply use the same command as
above but do not specify any value:
db2set registry_variable =
To display all the DB2 profile registries currently set on the server, issue this
command:
db2set -all
[e] DB2PATH=C:\SQLLIB
[i] DB2INSTPROF=C:\SQLLIB
[i] DB2COMM=TCPIP,APPC
[g] DB2SYSTEM=DB2NTSERV
[g] DB2PATH=C:\SQLLIB
[g] DB2ADMINSERVER=DB2DAS00
The output from this command will look something like this:
At the Control Center, right click on the instance or database for which you would
like to work with and select Configure Parameters. You will get a list of
configuration parameters with descriptions and the current and pending values.
You can also get the same output by using the DB2 commands:
Once you click OK, you are returned to the Configuration window. The Pending
Value Effective column tells you when the new value will take effect. If the field reads
"After Instance Restart", then the pending value will not be set to the value you
selected until the instance is restarted. Otherwise the new value takes effect
immediately.
The following commands can be used to set the values of the database manager or
database configuration parameters respectively:
If you choose to defer the changes until the instance is restarted or until the
database is activated, specify the deferred keyword instead:
You'll sometimes want to find out what changes have been made and deferred. To
show the current and pending values of the database manager configuration
parameters, attach to the instance first, then specify the show detail option in the
get database manager configuration command, like so (note that
instance_name is the value set by the system environment variable DB2INSTANCE
):
Similarly, to list the current and pending values of the database configuration
parameters, connect to the database first and then use the show detail option:
Pending values are listed under the Delayed Value column, as illustrated below.
• TCP/IP
• APPC
• NetBIOS
• NPIPE
The DB2 Connect software, which utilizes the Distributed Relational Database
Architecture (DRDA), is required for connections to host databases such as DB2 for
z/OS and OS/390 or DB2 for iSeries.
1. Set the DB2 profile registry, DB2COMM, to enable the instance for the
specified communication protocols, like so:
db2set DB2COMM=TCPIP,NETBIOS
db2icdb2 50000/tcp
Update the database manager configuration file so that DB2 will use the
port number associated with the service db2icdb2 for the instance you are
working on:
If you choose not to use the services file, simply update svcename
with the correct port number:
3. The parameters svcename and nname are not configurable online. Stop
and start the instance so that the new values can be used:
db2stop
db2start
The search method searches the network for any DB2 servers. DB2 Discovery
performs a search up to the first router from where the search request is issued.
Therefore, this method may take some time to return a result.
If you know some information about the DB2 server you want to locate, use the
known method and provide information such as the database or server name to limit
the search.
A DB2 server is searchable only if its DB2 Administration Server (DAS) service is
running and the discover parameter is set to search:
db2admin start
db2 update admin configuration using discover search
It is important to point out that disabling discovery at the DAS, instance, or database
level does not restrict DB2 clients from setting up database connectivity through
other methods (which will be discussed next). DB2 clients can still connect to a
remote database even though its database configuration discover_db is disabled.
method from the Configuration Assistant, but that task would probably take you a
long time to complete. In such a situation, you should consider using a DB2 access
profile.
An access profile contains information that a client needs for configuring connectivity
with a DB2 server. There are two types of access profiles:
3. Use the Configuration Assistant to import the file into the DB2 client.
You may find it burdensome to explain to all your users how to import the profile
using the Configuration Assistant. In addition, some users may have a version of the
DB2 runtime client installed that does not include Configuration Assistant. In such
cases, you can use the following command to perform the same import as described
above:
db2cfimp access_profile_name
Alternatively, you can use the catalog commands via the DB2 Command Line
In the diagram below, an AIX server (host1) has two instances and three databases
defined. The Windows NT server (host2) contains only one instance and one
database.
For a client machine to connect to all the databases in this scenario, each remote
instance must be cataloged and stored in its node directory, and each database
must be pointed to its associated node (or instance).
To attach to an instance:
With instance attachment, you can perform remote administrative tasks such as:
Notice that the connect statement also allows you to set a new password for the
user specified.
With a database connection, you can manipulate data and database objects. The
allowed operations are:
First, use the list applications command to show all current connections
made to any database defined within the instance:
Identify the connections that you want to terminate and specify the associated
application handles in the force application command. If multiple connections
are identified, separate them with commas. The following command terminates
connections associated with application handles numbered 5 and 6:
To disconnect all database connections in an instance, simply use the all option:
The force application command will only terminate the connections specified.
It does not stop new applications from connecting to the databases.
Authentication types
The authentication type determines where the user ID/password pair is verified. The
supported authentication types are:
• SERVER (default)
• SERVER_ENCRYPT
• KERBEROS
• KRB_SERVER_ENCRYPT
• CLIENT
We'll discuss these in detail in the following panels.
At server: Only one authentication type is allowed per instance. This means the
setting applies to all databases defined under that instance. Specify it in the
database manager configuration file with the AUTHENTICATION parameter.
At client: Each database cataloged at the client has its own authentication type
specified with the catalog database command.
1. A user logs into a workstation with the username peter and password
peterpwd.
2. peter then connects to the SAMPLE database with the user ID db2user
and password db2pwd, which are defined at the remote DB2 server.
3. db2user and db2pwd are sent to the server through the network.
If you want to protect the user ID and password from eavesdropping, use
authentication type SERVER_ENCRYPT so that both user ID and password are
encrypted.
Authentication type KERBEROS can be used when both the DB2 client and server
support the Kerberos security protocol. However, some clients may not support
Kerberos, but still need to access the DB2 server. To ensure that both types of
clients are able to connect securely, set the authentication type at the DB2 server as
KRB_SERVER_ENCRYPT. This allows all Kerberos-enabled clients to authenticate
with Kerberos, while other clients use SERVER_ENCRYPT authentication instead. The
following illustration offers a quick summary of different client and server
authentication settings related to Kerberos.
It is important to understand that there are client systems that do not have a reliable
security facility, such as Windows 9x and Classic Mac OS. They are referred as
untrusted clients. Anyone who has access to these systems can also connect to the
DB2 server without any authentication. Who knows what kind of destructive
operations they will perform (e.g., dropping a database)? In order to provide the
flexibility of allowing trusted clients to perform authentication on their own and, at the
same time, forcing untrusted clients to be authenticated at the server, two other
database manager configuration parameters are introduced:
• TRUST_ALLCLNTS
• TRUST_CLNTAUTH
Note that these two parameters will be evaluated only when authentication is set to
CLIENT. We'll look at them in more detail in the next panel.
Trusting clients
TRUST_ALLCLNTS determines which types of clients are trusted. The parameter has
• YES -- Trust all clients. This is the default setting. Authentication will take
place at the client. There is an exception, which we'll discuss in more
detail when we cover TRUST_CLNTAUTH below.
• NO -- Trust only clients with reliable security facilities (i.e., trusted clients).
For untrusted clients to connect, user ID and password must be provided
for authentication to take place at the server.
• DRDAONLY -- Trust only clients that are running on iSeries or zSeries
platforms (i.e., DRDA clients). Any other clients must provide user ID and
password.
Consider a scenario in which a DB2 server has set authentication to CLIENT and
TRUST_ALLCLNTS to YES. You log into a Windows 2000 machine as localuser and
connect to the remote database without specifying a user ID and password.
localuser will be the connected authorization ID at the database. What if you want to
connect to the database with a different user ID -- as poweruser, who has the
authority to perform a database backup, for instance?
• SYSADM has full privileges for managing the instance and also has
access to data in the underlying databases.
• SYSCTRL and SYSMAINT have certain privileges in managing the
instance, its databases, and database objects. These authorities do not
have access to the data. For example, statements such as 'SELECT *
DBADM and LOAD are database-level authorities. They are granted to a user or a
group of users with a grant statement and revoked with a revoke statement:
connect to sample;
grant dbadm on database to user john;
grant load on database to group dbagrp;
revoke load on database from group dbagrp;
Note that users with LOAD authority also require INSERT privilege on the table
before data can be loaded. We'll talk more about privileges in the next panel.
Setting privileges
Privileges give users the right to access database objects in a specific way. The
following lists offer a summary of privileges for different database objects.
Database privileges:
• CONTROL provides the user with all privileges for a table or view as well
as the ability to grant those privileges (except CONTROL) to others.
• ALTER allows users to alter a table or view.
• DELETE allows users to delete records from a table or view.
• INDEX allows users to create indexes on a table.
• INSERT allows users to insert an entry into a table or view.
• REFERENCES allows users to create and drop a foreign key, specifying
the table as the parent in a relationship.
• SELECT allows users to retrieve rows from a table or view.
• UPDATE allows users to update entries in a table or view. This privilege
can also limit users in updating specific columns only: grant update
Although the grant privilege is extended, the revoke privilege is not. If privileges are
received through the with grant option, a user will not be able to revoke the
privileges from others. Here are some examples.
This statement allows users in the devusers group to rebind, drop, and execute the
package dev.pkg1. The same group of users can also grant BIND and EXECUTE
(but not CONTROL) privileges to others.
grant control on package dev.pkg1 to group devusers
with grant option
• The following command creates the tools catalog under the schema
toolscat in the new database toolsdb:
db2 create tools catalog toolscat create new database toolsdb
• The following command creates the tools catalog under schema toolscat
in the tbsp32k table space of an existing database toolsdb:
db2 create tools catalog toolscat user existing tablespace tbsp32k in database toolsdb
As the name implies, administration notification logs are intended for use by
database and system administrators. The DB2 diagnostic file (also referred as
db2diag.log ) contains detailed information for problem determination that is
mainly used by DB2 customer support. The dump files capture extra information in
binary format named after the failing process ID. Trap and core files are generated
when DB2 terminates abnormally and cannot continue processing. These files are
also binary files and could contain a memory image of the terminated process.
Understanding and knowing how to interpret the notification logs is a skill that you
definitely need in order to manage a DB2 server. If you do run into problems that you
cannot resolve, seek help from DB2 customer support; you'll be asked for the other
log files for more detailed investigation.
sqllib/db2dump.
Information recorded in the administration logs can be written by DB2, the Health
Monitor, and user applications. The NOTIFYLEVEL database manager configuration
parameter determines what level of information will be captured. There are five
levels of information possible:
Section 7. Conclusion
Summary
This tutorial introduced you to the basic knowledge and skills of managing DB2
servers. Every server has one or more DB2 instances. An instance provides a
logical environment in which DB2 commands and functions can execute. In the first
part of the tutorial, you learned how to create, drop, start, stop, list, migrate, and
update instances. The DB2 environment plays an important role in influencing how
DB2 behaves. It is made up of the operating system environment settings, DB2
profile registries, database manager, and database configuration parameters. They
can be easily configured with commands as illustrated in the tutorial.
You learned three methods of configuring DB2 client and server connectivity. You
can search the network with DB2 discovery, use DB2 access profiles, or specify
communication information manually. The Configuration Assistant is available to use
any of the methods to set up the node and database catalog directories. With proper
connectivity configuration, you can attach to an instance to perform remote
administration tasks and connect to a database for data access.
Managing a DB2 server also includes managing its access. DB2 security is
composed of authentication and authorization. Authentication is performed externally
by a security facility. There are different authentication types that allow you to control
where authentication should take place. Once a user is authenticated, DB2 will
check to make sure the user is allowed to perform the requested operations.
Different levels of authorities and privileges are available to support granular security
control.
You were also introduced to task creation and automation. Use the Task Center to
create tasks that are coded in DB2 commands, OS commands, or MVS shell
commands. The tool has options to enter instructions for notification purposes and
also specify other tasks to perform upon completion.
The DB2 administration notification log records errors and warnings raised by DB2,
the Health Monitor, and user applications. Each event log entry contains information
such as timestamp, database name, application ID, DB2 function and component
that raise the message. This is definitely a good place to start in troubleshooting
errors encountered in DB2.
Resources
• Check out the other parts of the DB2 V8.1 Database Administration certification
prep series:
• Data Placement: DB2 V8.1 Database Administration certification prep,
Part 2 of 6
• Database Access: DB2 V8.1 Database Administration certification prep,
Part 3 of 6
• Monitoring DB2 Activity: DB2 V8.1 Database Administration certification
prep, Part 4 of 6
• DB2 Utilities: DB2 V8.1 Database Administration certification prep, Part 5
of 6
• Backup and Recovery: DB2 V8.1 Database Administration certification
prep, Part 6 of 6
• You can learn more about managing DB2 from the following resources:
• DB2 Version 8 Administration Guide: Performance: Chapter 13.
Configuring DB2
• DB2 Version 8 Installation and Configuration Supplement:
• Chapter 2. Setting up the DB2 server after manual installation
• Chapter 3. Configuring client to server communications
• Chapter 4. Configuring DB2 server communications
• DB2 Version 8 Administration Guide: Implementation:
• Chapter 1. Before Creating a Database
• Chapter 4. Controlling Database Access
• For more information on the DB2 V8.1 for Linux, UNIX, and Windows Database
Administration Certification (Exam 701), check out these links:
• IBM Data Management Skills information
• Download a self-study course for experienced Database Administrators
(DBAs) to quickly and easily gain skills in DB2 UDB.
• Download a self study course for experienced relational database
programmers who'd like to know more about DB2.
• General Certification information -- including some book suggestions,
exam objectives, and courses.
• Check out developerWorks Toolbox for one-stop access to over 1,000 IBM
tools, middleware, and technologies from DB2, Lotus, Tivoli, and
WebSphere for open standards-based Web services and application
development.