Category: Db2 z/OS Freeware

Db2 z/OS licensed Freeware

Posted on

2025-06 IDUG NA 2025

This month I wish to run through the IDUG NA 2025, not every presentation but the ones I attended or held. The IDUG was a very good one indeed, I thought! My colleague Ulf and I got off to a bad start when we missed our flight connection in Amsterdam due to bad weather but KLM got us on a flight to Boston, so we arrived in Atlanta only six hours later than planned… Ho hum! Such are the banes of modern life!

Db2 for z or Db2 for LUW?

You might well have heard that the IDUG have moved away from a pure z/OS or LUW style “tracks” system and now do a more named approach which *still* catches people out, as they assume that everything in the second column is just for LUW – Not true dear readers! Anyways, it *always* pays to read through the whole grid before planning your 10,000 steps per day timetable!

Keynote

The opening keynote “Leveraging your Db2 Data for Enterprise AI” from two IBM VPs: Minaz Merali and Priya Srinivasan, was a very good one and well attended, we just managed to finish getting our booth ready in time, as it was “news to us” that the Expo was also where the Keynotes were going to be held all week!

It starts!

The technical sessions then kicked off with a “Spotlight” session from Haakon Roberts doing his excellent “Trends and Directions” as a double header with Akiko Hoshikawa as well. It was listed as session A1 in the grid but then IDUG said it was S1 – which caused some confusion when filling in the reviews! Anyways, I really enjoyed it, especially the interaction with the audience, as they all suddenly realized that in a few short years several, or maybe lots, of their objects will be unsupported… For you, dear readers, just download and run my good old Migration HealthCheck for Db2 z/OS to see how many of the evil beasts, that IBM are now officially killing off, you still have lounging around in production! We all have time, lots of time, to “fix” these problems – Don’t panic! Even IBM must do some work to finally get rid of Simple, Multi-table and non-UTS tablespaces in the Directory and Catalog!!! But start planning and checking now… forewarned is forearmed!

Performance Review [access @ IDUG]*

Then came A2 from Akiko Hoshikawa with the “Key Performance Updates” session – again an excellent session, with the great tip around DSMAX : you should be extremely careful about having a very large number of open datasets, especially indexes, as the Root Page is always pinned in the buffer pool! So, if you have 100,000 open indexes you can imagine how bad your buffer pool(s) will look like! Secondary problem is actually the time it takes to close all these datasets at Db2 shut down… Db2 does not actually care and passed the buck to z/OS to do it all!

RUNSTATS & Monitoring [access @ IDUG]*

Then I held my first session: C3 “RUNSTATS Master – reloaded ” if you want to learn waaaay more than you should about RUNSTATS feel free to also download and run our Statistics HealthCheck for Db2 z/OS. Then I popped over to see the Tom Glaser session E5 “Don’t have an SQL monitor? You might need a bigger shovel” where he drilled down into the nuts-and-bolts of what you must/should monitor and showed which metrics are useful for tuning your systems.

Keynote – Treasure

Tuesday began with another good key note session from Greg Lotko, a Senior VP at Broadcom. All about Pathfinders and finding treasure – extremely entertaining, I thought!

Utilities Review [access @ IDUG]*

Later the sessions started and I joined Ka Chun Ng for his “Db2 for z/OS Utilities” session as moderator… Here, some technical problems raised their ugly heads, and we had bad audio/visual issues which delayed the start by about ten minutes. This meant Ka Chun could not finish his presentation. This was a real shame, as it is crammed full of great stuff for us Utility nerds out there! He even updated me about an error I had in my RUNSTATS presentation – fantastic! Top things here, were the zIIP offload for COPY – Not much CPU is actually offloaded but how *many* image copies do you run every day?? REGION=0M is the best for utils, but we can never use that, can we? He pointed out that utilities are capped to 1.6GB – now you can allocate a correct REGION size without breaking your firm’s internal standards. Slide 19 was a useful reference for large REORGs, that we must all do at some point, to finally get to PBR RPN tablespaces. He also mentioned one of my favorite bug-bears as well -> REORG SYSLGRNX regularly with MODIFY RECOVERY – This shrinks its size dramatically and really improves over-all system performance in a major knock-on effect! Loads of people either do not know this or just do not bother!

Hack Attack? [access @ IDUG]*

A quick stroll back through the rabbit warren of rooms and corridors then brought me to F7: “How to Hack Db2 for z/OS” by Emil Kotrc – Have no fear friends, there is nothing here that will let hackers into your system like a zero-day style hack, but it is a full list of possible vectors that should be a) known about and b) discussed. Biggest take aways -> Check your access permissions to APF Authorized load libraries and sanitize your dynamic SQL input!

Top Ten Lists [access @ IDUG]*

After lunch I moderated Craig Mullins’ D8: “My All-Time Db2 Top Ten lists” which won the best user presentation award! Full of great info and great fun to see/hear. You always learn stuff at Craig’s presentations!

Security! [access @ IDUG]*

Next up was F9 from Gaya Chandran: “Modernizing your Security posture around Db2 z/OS data” which rang bells with me in my Auditor role. Slide nine was the biggest winner for me… And then she reviewed all the new/old/nice security things we have on Db2 for z/OS that must simply be reviewed and/or used… It could make your world much better!

Keynote – Go take a Hike!

Wednesday started with another great keynote from Jennifer Pharr Davis. I had a chat with her at our booth before she started and she was really interested in Db2 and the whole ecosystem. She is, what I would call, an extreme hiker! She has walked the Appalachian Trail (Spans 14 States and nearly 2,200 Miles/3,500 km) three times. Madness, I would say, but from these experiences she learned a lot about resilience and adaptability!

Profile Tables! [access @ IDUG]*

Then into session D10 with Scott Walker and Gaya Chandran: “Db2 z/OS 13 – using Profiles to monitor/block unsecure TCP/IP connectivity” we learned how Scott set up, ran, monitored, and updated all his Db2 systems to go from insecure to secure TCP/IP port usage in a well-planned and documented style. This highlighted the usefulness of PROFILE tables and proves again that this is one of the best features ever in Db2 for z/OS, in my opinion!

DORA & PCI DSS [access @ IDUG]*

Then I was up again with D11: “Isn’t she aDORAble?” all about Audit, Compliance, Resilience and how much we need to change into “internal auditors” before a “lead overseer” comes along and makes your life horrible! Feel free to use this presentation at your site to hammer home how much it will cost if you do not start doing stuff now! Due diligence… Try out our freeware SecurityAudit Health Check for Db2 z/OS.

Time to go!

That was it for me – Had to leave in the middle of lunch to get my flight back home! One last word must be mentioned about the food – Fantastic! The lunch and coffee break beverages and food were simply great! My personal favorite was when I was at the dessert table and saw “Mexican Chocolate Cheesecake” and wondered out loud to a random guy next to me “I didn’t know that Mexicans made chocolate cheesecake” he replied “The funny thing is nor did I – and I am Mexican!” Made my day!

and finally…

My colleague Ulf also got to hold a session: B15 “Understand, Manage and Love Certificates in z/OS and USS” [access @ IDUG]* on Thursday which was all about the “brave new” world of certificates and key-rings and how you cannot afford to ignore them anymore! All went down splendidly!

TTFN,

Roy Boxwell

If you attended, or it is two/three years later 🙂 , you can access all of the presentations here [access @ IDUG]*.

At the time of writing the A1/S1 presentation from Haakon is sadly not available…

Note: * To get the links to work you must be registered at IDUG *and* entitled to the content. Otherwise you will get an “Oops!” screen popping up tell you that you lack authorization! If that is the case you can then think about buying the “Premium” version of IDUG membership which does allow downloading of conference files without having to wait around two years.

Posted on

2024-12 Security & Audit Check

Hi all! Welcome to the end-of-year goody that we traditionally hand out to guarantee you have something to celebrate at the end-of-year party! This time, I wish to introduce to you a full vulnerability check of your Db2 for z/OS systems.

DORA!

You should all be aware, and scared, of DORA by now. If not, read my prior newsletter 2024-11 DORA or check out my IDUG presentation or my recorded webinar. Whatever you do, you must get up to speed with DORA as it comes into force on the 17th Jan 2025 which is only one month away from the publishing date of this newsletter!

Not just Born in the USA!

Remember, DORA is valid for the whole wide world, not just businesses within the EU. If you do *any* sort of financial trading within the EU you are under the remit of DORA, just like you are with GDPR! Even if you are not trading within the EU block, doing a full vulnerability check is still a pretty good idea!

PCI DSS V4.0.1

We also now have the Payment Card Industry Data Security Standard (PCI DSS) V4.0.1 going live at the end of March 2025… Coincidence? I don’t think so. Mind you, at least the Americans do not fine anyone who fails!

What are We Offering?

This year, the product is called the SecurityAudit HealthCheck for Db2 z/OS or SAC2 for short. It is a very lightweight and robust tool which basically does all of the CIS Vulnerability checks as published by the Center for Internet Security (CIS) in a document for Db2 13 on z/OS:

CIS IBM Z System Benchmarks (cisecurity.org)

https://www.cisecurity.org/benchmark/ibm_z

This contains everything you should do for audit and vulnerability checking and is well worth a read!

Step-By-Step

First Things First!

The first thing SAC2 does, is evaluate *all* security-relevant ZPARMs and report which ones are not set to a “good” value. It then goes on to check that any default values have not been left at the default value. This especially means the TCP/IP Port number, for example. Then it finishes off by validating that SSL has been switched on for TCP/IP communications and that any and all TCP/IP ALIAS defs also have the correct settings.

Communication is Important!

Next up, is a full evaluation of your Communication Data Base (CDB). This data has been around for decades and started life for SNA and VTAM connections between Host Db2s. These days, SNA is dead and most of the connections are coming from PCs or Servers. That means that there *could* be a lot of dead data in the CDB and, even worse, ways of connecting to your mainframe that you did not even know, or forgot, existed! Think plain text password with SQLID translation for example!

Danger in the Details

Naturally, blindly changing CDB rows is asking for trouble, and if SAC2 finds anything odd/old/suspicious here, you must create a project to start removal. There is a strong correlation between “Oh I can delete that row!” and “Why can’t any of my servers talk to the mainframe anymore?”. The tool points out certain restrictions and pre-reqs that have to be done *before* you hit the big button on the wall! JDBC version for example.

Taking it All for GRANTed?

GRANTs can be the root of all evil! GRANT TO PUBLICs just make auditors cry, and use of WITH GRANT OPTION makes them jump up and down. Even IBM is now aware that blanket GRANTing can be dangerous for your health! SAC2 analyzes *all* GRANTs to make sure that PUBLIC ones are discovered on the Catalog and Directory as these should NEVER be done (with the one tiny exception of, perhaps on a good day when the sun is shining, the SYSIBM.SYSDUMMY1), then further checking all User Data as PUBLIC is just lazy. Checking everything for WITH GRANT OPTION is just making sure you are working with modern security standards!

Fun Stuff!

These days you should be using Trusted Contexts to access from outside the Host. This then requires Roles and all of this needs tamper-proof Audit Policies. On top of all this are the extra bits and pieces of Row Permissions and Column Masks. All of these must be validated for the auditors!

Elevated Users?

Then it lists out the group of privileged User IDs. These all have elevated rights and must all be checked in detail as who has what and why?

Recovery Status Report

Finally, it lists out a full Recovery Status Report so that you can be sure that, at the time of execution, all of your data was Recoverable.

It is a Lot to Process!

It is indeed. The first time you run it, you might well get tens of thousands of lines of output but the important thing is to run it and break it down into little manageable sections that different groups can then work on. This is called “Due Diligence” and can save your firm millions of euros in fines.

Lead Overseer

Great job title, but if this person requests data then you have 30 days to supply everything they request. Not long at all! SAC2 does the lion’s share of the work for you.

Again and Again and Again

Remember, you must re-run this vulnerability check on a regular basis for two major reasons:

  1. Things change – Software, Malware, Attackers, Defenders, Networks, Db2 Releases etc.
  2. Checks get updated – The auditors are alway looking for more!

Stay Out of Trouble!

Register, download, install and run today!

I hope it helps you!

TTFN

Roy Boxwell

Future Updates:

The SAC2 licensed version will be getting upgraded in the first quarter of 2025 to output the results of the run into a Comma Separated File (CSV) to make management reporting and delegation of projects to fix any found problems easier. It will also get System Level Backup (SLB) support added. SLB is good but you *still* need Full Image Copies! Further, it will be enhanced to directly interface with our WLX Audit product.

Posted on

2020-04 Four Flavors of Db2 Audit

These days there is a lot of talk about audit, specifically regarding Db2 on z/OS. So, in this newsletter, I wish to run through four different ways that you can “Get Audit Done”.

As well as simply getting it done, I will also run through the four different ways that you can process the gathered data.

Four ways to get a Db2 z/OS Audit done

1- First up

First option is the simplest, cheapest and quickest:

Do nothing.

Whether or not this will help your company is a non-trivial question of course!

Naturally this is an absolute No No.

2- Then we have

Next option is relatively simple and cheap, but requires a bit of work: 

Write it all yourself but based on existing data that some other process already extracts for you, (SMF for example). 

If you happen to have the skills for extracting the required audit data from existing data that is being collected anyway, then this might well be the best method if you are really strapped for resources. 

3- Getting there 

Then we have not so simple, still cheap, but a ton of work: 

Write it all yourself and add all the IFCIDs you actually need to audit your system as well as capturing all the SQL. 

This needs a serious amount of skills to get and keep up with the agile world of Db2. You will also need to take care of the amount of data that you will be collecting.

However, the auditor will be happy as you have everything they could ask for.

4- Aha! The only true way 

Last option is simple, not so cheap but very quick: 

Third Party software that does it all for you.

This is my preferred solution, especially as we just happen to sell one (WorkLoadExpert Audit).

This is actually the only real way to go. You probably don’t have the time to keep all these things up-to-date and running correctly. 

Data Collected – Now what? 

So, you have chosen one of these ways to gather the data. Now you must evaluate what you got. Here again we have four separate ways to go forward: 

First up 

There it is! 

Do nothing. Just point at the datasets, print outs, database objects and say “It is all in there…” 

This is not really a solution and any auditor worth his, or her, salt would quite rightly be extremely upset! 

Then we have 

A whole bunch of pre-written SQLs. 

SPUFI is ok, but much better would be to see these in a GUI where graphical viewing is built in and saving and sharing results is much easier.  

This is not bad, but still a manual “island” process. Just Db2 and nothing else plus it must be triggered by humans. 

Getting there

A whole bunch of pre-written and custom SQLs.

This time, all run in Batch and the results are emailed to the auditor directly. These emails can “just sit there” until the auditor checks the results. Naturally, if anything is found, then the underlying data must still be there for a detailed analysis.

Better, as it is getting automatic but still not really “round”, as it is still Db2 in isolation…

Aha! The only true way

Use of LEEF or SYSLOGGER-style formats to export all audit data.

The data is then in a data-lake where SPLUNK, QRADAR et al can happily slice and dice their way through the data.

This is the best way!

You also get an extra bonus point for *removing* the data from the mainframe. As auditors *love* a single point of control, this is the only real way forward. It also pushes the Db2 data into the world of other data that auditors use and require.

Db2 Audit with “GIVE&TAKE” :

Software Engineering GmbH and SEGUS Inc are launching a new free Give&Take which this time is the Audit support from WorkLoadExpert.

If you would like to take part, then please just fire off an email to db2support@segus.com telling us who you are and which firm you work for and we will get in touch!

Give and Take 

By the way, it is called “Give&Take” because :

  • we Give you the software, for free, to run for a trial period, and
  • we would like to Take away what you think, feel, and find about the software after the trial period. 

More about Give&Take

TTFN, 

Roy Boxwell 

Posted on

BIF HealthCheck Licensed Freeware for DB2 11

Detect static and dynamic SQL and match to the relevant collection, packages,…

BIF HealthCheck overview (Built-in Function Checker for DB2 z/OS)

BIF HealthCheck reports the following BIF incompatibilities in DB2 11

  • Execution of the DB2 9 for z/OS version of SYSIBM.CHAR(DECIMAL-EXPR)
  • Execution of the DB2 9 for z/OS version of SYSIBM.VARCHAR(DECIMAL-EXPR), CAST (DECIMAL AS VARCHAR), OR CAST (DECIMAL AS CHAR)
  • Use of an unsupported character string representation of a TIMESTAMP
  • Use of the DB2 10 for z/OS default SQL path instead of the V11 path, which has more implicit Schemas
  • Execution of a non-Java client that called a Stored Procedure (SP) that is on the DB2 for z/OS Data Server, while subsystem parameter DDF_COMPATIBILITY was set to SP_PARMS_NJV (the Data Server returned output argument values whose data types matched the data types of the call statement arguments).
  • Execution of an insert statement that inserts into an XML column without the XMLDOCUMENT function, which generates SQLCODE -20345 on a DB2 release prior to V11, but does not generate an error starting in V11
  • V10 XPATH evaluation behavior was in effect, which resulted in an error (e.g. a data type conversion error occurred for a predicate that would otherwise be evaluated to false.). Starting in V11, such errors might be suppressed
  • Execution of a SQL statement by a client non-Java, or Java application that included an unsupported conversion from a string type to a numeric type, or from a numeric type to a string type while the DB2 z/OS Data Server environment was one of the following (the Data Server issues SQLCODE -301)

• The Data Server was in version 11 New-Function Mode (NFM)
• APPLICATION COMPATIBILITY was set to V10R1
• Implicit casting was disabled because subsystem parameter DDF_COMPATIBILITY was set to SP_PARMS_NJV, or DISABLE_IMPCAST_NJV

BIF incompatibilities in DB2 10

 

More about BIF

BIF-Usage

Presentation

BIF CompatibilityDB2 10 compatibility mode
Changes to the STRING formating of decimal data within the CHAR and VARCHAR built-in function and to the CAST specification with CHAR and VARCHAR result types as well as  UNSUPPORTED TIMESTAMP STRINGs.
White PaperFinding BIFsAnd How to Lead a Problem-Free Life With Them in the Future
Navigating the Challenges of moving to a new DB2 Release
Newsletter2015-01 – BIFCIDS – Where’s the BIF?How will you deal with loop-hole usage in production code?
VideoBIF Usage(11min.) Trap  and correct the BIFs that will cause belly-ache one day soon
“Give and Take”
Program” page		 Give and Take
Program		We have “GIVEn” various free-of-charge Use Cases from SQL Workload Expert for DB2 z/OS like
1  Index Maintenance Costs
2  EXPLAIN Suppression
3  BIF Usage
4  BIF Healthcheck (Freeware) – This last one is still available
We TAKE the anonymized results for research
 and will communicate with the local User Groups for discussions
 User StatementsBIF Usage:

“Give and Take
Program 3”

 Customer CommentsRead the Customer Comments across the Industry

  • Health Care
  • Insurance
  • Banking
  • Car Manufacturing
Posted on

BIF HealthCheck licensed Freeware for DB2 10

Detect static and dynamic SQL and match to the relevant collection, packages,…

BIF HealthCheck overvew (Built-in Function Checker for DB2 z/OS)

BIF HealthCheck reports the following BIF incompatibilities in DB2 10

  • Execution of the DB2 9 for z/OS version of SYSIBM.CHAR(DECIMAL-EXPR)
  • Execution of the DB2 9 for z/OS version of SYSIBM.VARCHAR(DECIMAL-EXPR), CAST (DECIMAL AS VARCHAR), OR CAST (DECIMAL AS CHAR)
  • Use of an unsupported character string representation of a TIMESTAMP
  • Use of a USER-DEFINED FUNCTION (UDF) that has the unqualified name ARRAY_EXISTS
  • Use of a USER-DEFINED FUNCTION (UDF) that has the unqualified name CUBE
  • Use of a USER-DEFINED FUNCTION (UDF) that has the unqualified name ROLLUP
  • Execution of a non-Java client that called a Stored Procedure (SP) that is on the DB2 for z/OS Data Server, while subsystem parameter DDF_COMPATIBILITY was set to SP_PARMS_NJV (the Data Server returned output argument values whose data types matched the data types of the call statement arguments).
  • Execution of a SQL statement by a client non-Java application that included an unsupported conversion from a string type to a numeric type, while the DB2 z/OS Data Server environment was one of the following (the Data Server issues SQLCODE -301)
    • In version 10 Conversion Mode (CM)
    • In version 10 New-Function Mode (NFM) and implicit casting was disabled because subsystem parameter DDF_COMPATIBILITY was set to SP_PARMS_NJV, or DISABLE_IMPCAST_NJ

 

BIF incompatibilities in DB2 11

 

More about BIF

BIF-Usage

Presentation

BIF CompatibilityDB2 10 compatibility mode
Changes to the STRING formating of decimal data within the CHAR and VARCHAR built-in function and to the CAST specification with CHAR and VARCHAR result types as well as  UNSUPPORTED TIMESTAMP STRINGs.
White PaperFinding BIFsAnd How to Lead a Problem-Free Life With Them in the Future
Navigating the Challenges of moving to a new DB2 Release
Newsletter2015-01 – BIFCIDS – Where’s the BIF?How will you deal with loop-hole usage in production code?
VideoBIF Usage(11min.) Trap  and correct the BIFs that will cause belly-ache one day soon
“Give and Take”
Program” page		 Give and Take
Program		We have “GIVEn” various free-of-charge Use Cases from SQL Workload Expert for DB2 z/OS like
1  Index Maintenance Costs
2  EXPLAIN Suppression
3  BIF Usage 
BIF HealthCheck – This last one is still available
We TAKE the anonymized results for research
 and will communicate with the local User Groups for discussions
 User StatementsBIF Usage:

“Give and Take
Program 3”

 Customer CommentsRead the Customer Comments across the Industry

  • Health Care
  • Insurance
  • Banking
  • Car Manufacturing