Upload
doliem
View
291
Download
6
Embed Size (px)
Citation preview
Click to edit Master subtitle style
© 2016 IBM Corporation
IBM i テクニカル・ワークショップ 2016
DB2 for i updates
Jesse R. Gorzinski, MBA
IBM i Emerging Solutions
© 2016 IBM Corporation
2
IBM i テクニカル・ワークショップ 2016
Agenda
• TR3/TR11 updates
• IBM i Services
• DB2 security enhancements
Click to edit Master subtitle style
© 2016 IBM Corporation
IBM i テクニカル・ワークショップ 2016
TR3/TR11 updates
© 2016 IBM Corporation
4
IBM i テクニカル・ワークショップ 2016
DB2 for i – Enhancements delivered via DB2 PTF GroupsIBM i 7.1 & 7.2
TR7
Enhancements delivered by PTF are documented here:
www.ibm.com/developerworks/ibmi/techupdates/db2
2014 20157.1 - TR8
7.1 - TR97.2 – TR1
7.1 - TR8&TR9 timed Enhancements:
• Generate SQL procedure
• Program & Package statement level
statistical catalogs
• Pipelined Functions
• Regular Expressions
• Padding Scalar Functions
SF99701 Level 26
SF99701 Level 29
SF99701 Level 32SF99702 Level 3
SF99701 Level 38 SF99702 Level 9
SF99701 Level 34 SF99702 Level 5
7.1 – TR107.2 – TR27.2 - GA
SF99702 Level 1
7.2 – TR1 timed Enhancements:
• CREATE OR REPLACE
support on MASK and
PERMISSION
• DB2 Built-in Global Variables
for job name
• System Limits Phase 3 - IFS
• And more…
7.1 – TR117.2 – TR3
TR2 / TR10 Enhancements
• Create OR REPLACE
table
• JSON – DB2 Store
Technology Preview
• SQE Performance
improvements
• And more…
Enhancements in TR3 / TR11:
• LIMIT and OFFSET
• Guardium V10 and other database
security monitoring enhancements
• SQE Performance improvements
• More IBM i Services
• New SQL built-in functions
• Enhancements for SAP on i clients
© 2016 IBM Corporation
5
IBM i テクニカル・ワークショップ 2016
DB2 for i – Application Development
SQL Programming enhancements
• LIMIT and OFFSET
• Remote 3-part name support on ASSOCIATE LOCATOR
• CREATE VARIABLE <name> FOR SYSTEM NAME <srvpgm-name>
• Remove the 8-80 Column restriction for RPG (SQL Precompiler)
• Debugger improvements for LANGUAGE SQL users
Query enhancements
• Views with Global variables in the WHERE clause can be insert-able
• New Scalar functions
o OVERLAY
o LOCATE_IN_STRING & INSTR
© 2016 IBM Corporation
6
IBM i テクニカル・ワークショップ 2016
LIMIT and OFFSET
• LIMIT and OFFSET support is popular, but non-standard
The DB2 Family recently decided to add the support
• This style of data access is most useful for those cases where you only need a subset (page) of rows
• The offset-clause is only allowed as part of the outer fullselect of a DECLARE CURSOR statement
or a prepared select-statement
• Initially, there is no support in STRSQL
Syntax Alternative Syntax Action
LIMIT x FETCH FIRST x ROWS ONLY Return the first x rows
LIMIT x OFFSET y OFFSET y ROWS FETCH FIRST x ROWS ONLY Skip the first y rows and
return the next x rows
LIMIT y , x OFFSET y ROWS FETCH FIRST x ROWS ONLY Skip the first y rows and
return the next x rows
© 2016 IBM Corporation
7
IBM i テクニカル・ワークショップ 2016
OFFSET and LIMIT for Stateless Pagination
Connect,
SELECT…OFFSET 0 LIMIT 5 Fetch 5 rows, Close, Disconnect
Connect,
SELECT…OFFSET 5 LIMIT 5 Fetch 5 rows, Close, Disconnect
Connect,
SELECT…OFFSET 10 LIMIT 5 Fetch 5 rows, Close, Disconnect
Result set
Row
Number
Ordering
Data
Unique key
(Encrypted)
1 Abcd 1234
2 Abdc 3214
3 Acbd 4131
4 Acdb 2143
5 Bacd 1243
6 Bacd 2341
7 Bcad 4213
8 Bcda 3142
9 Bdac 1423
10 Bdca 2431
11 Bdca 3412
12 Cadb 1324
13 Cbad 4321
© 2016 IBM Corporation
8
IBM i テクニカル・ワークショップ 2016
LIMIT and OFFSET
CREATE OR REPLACE PROCEDURE TOYSTORE.FIND_EMPLOYEES(IN P_PAGESIZE BIGINT, IN P_OFFSET BIGINT)
DYNAMIC RESULT SETS 1LANGUAGE SQL
BEGIN DECLARE V_PREP_STMT1 VARCHAR(4096) ; DECLARE CEMP_RESULT_SET1 CURSOR
WITH RETURN FOR PREP_STMT1; SET V_PREP_STMT1 = 'SELECT EMPNO, HIREDATE, LASTNAME FROM
TOYSTORE.EMPLOYEE ORDER BY HIREDATE DESC LIMIT ? OFFSET ?';
PREPARE PREP_STMT1 FROM V_PREP_STMT1 ; OPEN CEMP_RESULT_SET1 USING P_PAGESIZE, P_OFFSET;
END;
CALL TOYSTORE.FIND_EMPLOYEES(10, 0);CALL TOYSTORE.FIND_EMPLOYEES(10, 10);
Page 1
Page 2
© 2016 IBM Corporation
9
IBM i テクニカル・ワークショップ 2016
Flexible Views
• Traditional views are based upon a query that is locked in at create time
• Views with WHERE clause references to DB2 built-in global variables or DB2 global variables are flexible
• With the latest DB2 PTF Group, these views are eligible to be insertable, updateable, and deletable
Traditional View
Department
Determine rows
at CREATE
VIEW time
Flexible View
Department
Determine rows
when queried
Global
Variable(s)
© 2016 IBM Corporation
10
IBM i テクニカル・ワークショップ 2016
Flexible Views
CREATE OR REPLACE VARIABLE TOYSTORE.CURRENT_DEPARTMENTFOR SYSTEM NAME CUR_DEPT CHAR(3) DEFAULT 'D21' ;
CREATE OR REPLACE VIEW TOYSTORE.DEPARTMENT_VIEW FOR SYSTEM NAME DEPTV ASSELECT DEPTNO, DEPTNAME, MGRNO , ADMRDEPT, LOCATION FROM TOYSTORE.DEPARTMENT
WHERE TOYSTORE.CURRENT_DEPARTMENT = DEPTNO;
-- Update rows where DEPTNO = 'D21'UPDATE TOYSTORE.DEPARTMENT_VIEW SET LOCATION = 'Kingston';
-- Insert a new rowINSERT INTO TOYSTORE.DEPARTMENT_VIEW
VALUES('D33', 'Gardening and landscaping', '000110', 'A00', NULL);
Enhancement
© 2016 IBM Corporation
12
IBM i テクニカル・ワークショップ 2016
Availability enhancement
• Improved internal management of SQL packages for SAP clients
Use the SQL_STMT_COMPRESS_REUSE_MIN QAQQINI control to
extend the lifespan of a Process Extended Dynamic *SQLPKG
0 (default) The statement reuse count is not considered when
performing package compression
1-32767 The minimum number of times a statement has to be
reused in order for it to remain in the package at compression time
DB2 for i – Performance
INSERT INTO QUSRSYS.QAQQINI
VALUES('SQL_STMT_COMPRESS_REUSE_MIN', 5, DEFAULT)
© 2016 IBM Corporation
13
IBM i テクニカル・ワークショップ 2016
• EVIs are improved through an enhanced in-memory oriented access capability via its patented
database EVI (Encoded Vector Index) technology to facilitate enhanced aggregate query
performance.
• EVIs traditionally focus on selection keys with low cardinality
• With this enhancement, EVIs can be used for projection of column values
Example performance benefit: SELECT COUNT(DISTINCT(fld1)) WHERE fld2 < 'value'
EVI Only Access (EOA)
With EOA, the
SAP BW-EML Benchmark
Improved by more than 20%
© 2016 IBM Corporation
IBM i テクニカル・ワークショップ 2016
DB2 for i Services
© 2016 IBM Corporation
15
IBM i テクニカル・ワークショップ 2016
http://ibm.biz/DB2foriServices
2015 2016
Services in 2Q/2015:
• ACTIVE_JOB_INFO()
• SCHEDULED_JOB_INFO
• SERVER_SBS_ROUTING
• SET_SERVER_SBS_ROUTING()
• DRDA_AUTHENTICATION_ENTRY_INFO
• JVM_INFO
• SET_JVM()
Services in 2014:
• JOURNAL_INFO
• LIBRARY_LIST_INFO
• REPLY_LIST_INFO
• JOBLOG_INFO()
• SYSTMPSTG (7.2)
• DB2 for i built-in Global Variables (7.2)
• JOB_NAME (7.2)
• SERVER_MODE_JOB_NAME (7.2)
• SYSTOOLS.GROUP_PTF_CURRENCY
Services in 4Q/2015:
• MEMORY_POOL_INFO
• SYSTEM_STATUS_INFO
• LICENSE_INFO
• OBJECT_LOCK_INFO
• RECORD_LOCK_INFO
• OUTPUT_QUEUE_ENTRIES
• MEDIA_LIBRARY_INFO
• NETSTAT_INFO
• NETSTAT_JOB_INFO
• NETSTAT_INTERFACE_INFO
• NETSTAT_ROUTE_INFO
• SYSTOOLS.GROUP_PTF_DETAILS
Services in 2Q/2016:
• OUTPUT_QUEUE_INFO
• ENVIRONMENT_VARIABLE_INFO
• SERVICES_INFO
• Services & SQL dependency management
• Enhanced NETSTAT services
• Enhanced SET_SERVER_SBS_ROUTING()
• Enhanced System Limits
• Enhanced DISPLAY_JOURNAL()
• Enhanced OBJECT_STATISTICS (7.3 only)
• AUTHORITY_COLLECTION (7.3 only)
7.2 – TR27.2 – TR1 7.2 – TR37.2 – TR47.3 – GA
IBM i Services for SQL users
© 2016 IBM Corporation
20
IBM i テクニカル・ワークショップ 2016
SELECT * from SYSTOOLS.GROUP_PTF_CURRENCY WHERE PTF_GROUP_RELEASE = ‘R720’ORDER BY ptf_group_level_available -ptf_group_level_installed DESC;
Current
or behind
on
service?
PTF Group
Info
Level
installed
on this
partition
Level
available
from IBM
Date that
IBM last
updated
this group
Live comparison of PTF Group levels via IBM PSP feed
SYSTOOLS.GROUP_PTF_CURRENCY View
© 2016 IBM Corporation
23
IBM i テクニカル・ワークショップ 2016
SELECT journal_code, journal_entry_type, object, object_type, X.*
FROM TABLE ( QSYS2.Display_Journal(
'PRODDATA', 'QSQJRN', -- Journal library and name
'', '', -- Receiver library and name
CAST(null as TIMESTAMP), -- Starting timestamp
CAST(null as DECIMAL(21,0)), -- Starting sequence number
'', -- Journal codes
'', -- Journal entries
'',‘’,'',‘', -- Object library, Object name, Object type, Object member
‘SCOTT', -- User
'', -- Job
'' -- Program
) ) AS x ORDER BY entry_timestamp DESC;
Before 7.2 (must specify all 15 parameters, in order):
With 7.2 or 7.3 (leverage default & named parameters):
SELECT journal_code, journal_entry_type, object, object_type, X.* FROM TABLE (QSYS2.Display_Journal('PRODDATA', 'QSQJRN', -- Journal library and name“USER” => ‘SCOTT’ -- User) ) AS xORDER BY entry_timestamp DESC;
QSYS2.Display_Journal – User Defined Table Function
© 2016 IBM Corporation
24
IBM i テクニカル・ワークショップ 2016
--
-- Who deleted objects in the TOYSTORE1 library?
--
SELECT "CURRENT_USER", journal_code, journal_entry_type, object, object_type, X.*
FROM TABLE (
QSYS2.Display_Journal(
'QSYS', 'QAUDJRN', -- Journal library and name
OBJECT_LIBRARY => 'TOYSTORE1',
JOURNAL_ENTRY_TYPES => 'DO' -- Deleted object
) ) AS x WHERE OBJECT LIKE '%TOYSTORE1%'
ORDER BY entry_timestamp DESC;
DISPLAY_JOURNAL() – Did any objects get deleted?
© 2016 IBM Corporation
26
IBM i テクニカル・ワークショップ 2016
-- Which rows were deleted from TOYSTORE5/SALES table this week?
select ENTRY_DATA,ENTRY_TIMESTAMP,JOURNAL_ENTRY_TYPE,COUNT_OR_RRN as ROW_DELETED,"CURRENT_USER", RTRIM(JOB_NUMBER) CONCAT '/' CONCAT RTRIM(JOB_USER) CONCAT '/' CONCAT RTRIM(JOB_NAME) AS Qualified_Job_Name from table (
QSYS2.Display_Journal(
'TOYSTORE', 'QSQJRN', -- Journal library and name
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS,
JOURNAL_ENTRY_TYPES => 'DL',
OBJECT_LIBRARY => 'TOYSTORE',
OBJECT_NAME => 'SALES',
OBJECT_OBJTYPE => '*FILE',
OBJECT_MEMBER => 'SALES'
) ) as x
order by entry_timestamp desc ;
DISPLAY_JOURNAL() – Who deleted data?
© 2016 IBM Corporation
27
IBM i テクニカル・ワークショップ 2016
-- What data was deleted from PRODDATA/SALES table this week?
select
cast(cast(substring(entry_data,610-610+1,10) as VARCHAR(10) for bit data) as DATE) AS SALES_DATE,
cast(cast(substring(entry_data,622-610+1,15) as VARCHAR(15) for bit data) as varchar(15) ccsid 37) as SALES_PERSON,
cast(cast(substring(entry_data,638-610+1,15) as VARCHAR(15) for bit data) as varchar(15) ccsid 37) as REGION,
cast(cast(substring(entry_data,655-610+1,4) as VARCHAR(4) for bit data) as varchar(4)) as SALES
from table (
QSYS2.Display_Journal(
'TOYSTORE', 'QSQJRN', -- Journal library and name
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS,
JOURNAL_ENTRY_TYPES => 'DL',
OBJECT_LIBRARY => 'TOYSTORE',
OBJECT_NAME => 'SALES',
OBJECT_OBJTYPE => '*FILE',
OBJECT_MEMBER => 'SALES'
) ) as x
order by entry_timestamp desc;
DISPLAY_JOURNAL() – What data did they delete?
© 2016 IBM Corporation
29
IBM i テクニカル・ワークショップ 2016
• The new view return the same data as the Retrieve System Values
(QWCRSVAL) API
• *ALLOBJ or *AUDIT special authority is required to retrieve the values for
QAUDCTL, QAUDENDACN, QAUDFRCLVL, QAUDLVL, QAUDLVL2, and
QCRTOBJAUD
(‘*NOTAVL’ or -1 are returned when accessed by an unauthorized user):
-- Examine the system values related to maximums
SELECT * FROM QSYS2.SYSTEM_VALUE_INFOWHERE SYSTEM_VALUE_NAME LIKE '%MAX%' ORDER BY SYSTEM_VALUE_NAME;
QSYS2.SYSTEM_VALUE_INFO – view
© 2016 IBM Corporation
34
IBM i テクニカル・ワークショップ 2016
The ACTIVE_JOB_INFO table function returns one row for every active job.
The information returned is similar to the detail seen from the Work with Active
Jobs (WRKACTJOB) command and the Open List of Jobs (QGYOLJOB) API.
The ACTIVE_JOB_INFO table function has two uses:
1. To retrieve details for active jobs.
Optional parameters can be used to filter the jobs.
2. To measure elapsed statistics for active jobs.
An optional parameter can be used to reset statistics.
UDTF Parameters:
1. RESET_STATISTICS (YES or NO)
Establish a new baseline for elapsed time measurements
2. SUBSYSTEM_LIST_FILTER
Optional list of up to 25 subsystem names
3. JOB_NAME_FILTER
Optional generic name or special values
4. CURRENT_USER_LIST_FILTER
Optional list of up to 10 user profile names
QSYS2.ACTIVE_JOB_INFO() – UDTF
Additional filtering can be
used on the WHERE
clause
© 2016 IBM Corporation
35
IBM i テクニカル・ワークショップ 2016
---- Find the top CPU consumers in active Host Server jobs--SELECT JOB_NAME, AUTHORIZATION_NAME, ELAPSED_CPU_PERCENTAGE,ELAPSED_TOTAL_DISK_IO_COUNT, ELAPSED_PAGE_FAULT_COUNT, X.*
FROM TABLE(QSYS2.ACTIVE_JOB_INFO(JOB_NAME_FILTER => 'QZDASOINIT',SUBSYSTEM_LIST_FILTER => 'QUSRWRK')) x
ORDER BY ELAPSED_CPU_PERCENTAGE DESCLIMIT 10
QSYS2.ACTIVE_JOB_INFO() – UDTF
© 2016 IBM Corporation
36
IBM i テクニカル・ワークショップ 2016
---- Find the longest running SQL statements--WITH ACTIVE_USER_JOBS (Q_JOB_NAME, CPU_TIME, RUN_PRIORITY) AS (SELECT JOB_NAME, CPU_TIME, RUN_PRIORITY FROM TABLE(QSYS.ACTIVE_JOB_INFO('NO','','','')) x WHERE JOB_TYPE <> 'SYS'
) SELECT Q_JOB_NAME, CPU_TIME, RUN_PRIORITY, V_SQL_STATEMENT_TEXT, ABS(CURRENT TIMESTAMP - V_SQL_STMT_START_TIMESTAMP) AS SQL_STMT_DURATION, B.* FROM ACTIVE_USER_JOBS,
TABLE(QSYS2.GET_JOB_INFO(Q_JOB_NAME)) B WHERE V_SQL_STMT_STATUS = 'ACTIVE'ORDER BY SQL_STMT_DURATION DESC
QSYS2.GET_JOB_INFO() – UDTF
© 2016 IBM Corporation
37
IBM i テクニカル・ワークショップ 2016
-- Find active QSQSRVR jobs and the owning application job-- order the results by top CPU consumers
WITH tt (authorization_name, job_name, cpu_time, total_disk_io_count) AS (select authorization_name, job_name, cpu_time, total_disk_io_countfrom table(qsys2.active_job_info(SUBSYSTEM_LIST_FILTER=>'QSYSWRK',JOB_NAME_FILTER=>'QSQSRVR')) x)select authorization_name, ss.message_text, job_name, cpu_time,total_disk_io_count from tt, table(qsys2.joblog_info(job_name)) ss where message_id = 'CPF9898' and from_program = 'QSQSRVR'ORDER BY CPU_TIME DESC;
ACTIVE_JOB_INFO() & JOBLOG_INFO()
© 2016 IBM Corporation
39
IBM i テクニカル・ワークショップ 2016
Use SQL to understand:
• What Group Profiles exist
• Which User Profiles belong to specific Group Profiles
• The text associated with the profile
Handles both:
Group profile . . . . . . . . . GRPPRF
Supplemental groups . . SUPGRPPRF
-- Examine all groups and the group membersSELECT * from qsys2.group_profile_entries;
QSYS2.GROUP_PROFILE_ENTRIES – view
© 2016 IBM Corporation
40
IBM i テクニカル・ワークショップ 2016
• Built upon the data returned by the Retrieve User Information
(QSYRUSRI) API.
• Users see the data for any *USRPRF to which they have *READ
authority
• Setup details, authorizations, and more… easy access to deep details
-- Which users are having trouble signing on?
SELECT * FROM QSYS2.USER_INFO
WHERE SIGN_ON_ATTEMPTS_NOT_VALID > 3
QSYS2.USER_INFO – view
© 2016 IBM Corporation
41
IBM i テクニカル・ワークショップ 2016
• Authority Collection usage scenarios…
---- Which users have authority collection detail?--SELECT AUTHORIZATION_NAME, AUTHORITY_COLLECTION_ACTIVE FROM QSYS2.USER_INFO WHERE AUTHORITY_COLLECTION_REPOSITORY_EXISTS = 'YES';
QSYS2.USER_INFO – view
---- Which users have ACTIVE authority collection on-going?--SELECT AUTHORIZATION_NAME, AUTHORITY_COLLECTION_REPOSITORY_EXISTS FROM QSYS2.USER_INFO WHERE AUTHORITY_COLLECTION_ACTIVE = 'YES';
© 2016 IBM Corporation
42
IBM i テクニカル・ワークショップ 2016
---- Which users have *ALLOBJ authority either directly-- or via a Group or Supplemental profile?--SELECT AUTHORIZATION_NAME, STATUS,
NO_PASSWORD_INDICATOR, PREVIOUS_SIGNONFROM QSYS2.USER_INFOWHERE SPECIAL_AUTHORITIES LIKE '%*ALLOBJ%'OR AUTHORIZATION_NAME IN (
SELECT USER_PROFILE_NAMEFROM QSYS2.GROUP_PROFILE_ENTRIESWHERE GROUP_PROFILE_NAME IN (
SELECT AUTHORIZATION_NAMEFROM QSYS2.USER_INFOWHERE SPECIAL_AUTHORITIES like '%*ALLOBJ%')
) ORDER BY AUTHORIZATION_NAME
• Leverage multiple services to answer more interesting questions
USER_INFO & GROUP_PROFILE_ENTRIES –Views
© 2016 IBM Corporation
43
IBM i テクニカル・ワークショップ 2016
• Query results…excess authority identified using SQL
USER_INFO & GROUP_PROFILE_ENTRIES –Views
© 2016 IBM Corporation
44
IBM i テクニカル・ワークショップ 2016
The DRDA_AUTHENTICATION_ENTRY_INFO can be used to
assess, track and compare DRDA & DDM user access. Prior to this
catalog, the Display Server Authentication Entries (DSPSVRAUTE)
command had to be used, one user at a time.
-- Review the DRDA Authentication configurationSELECT * FROM QSYS2.DRDA_AUTHENTICATION_ENTRY_INFOORDER BY AUTHORIZATION_NAME, SERVER_NAME;
QSYS2.DRDA_AUTHENTICATION_ENTRY_INFO –View
© 2016 IBM Corporation
45
IBM i テクニカル・ワークショップ 2016
• Built upon the data returned by the Retrieve User Information
(QSYRUSRI) API.
• Users see the data for any *USRPRF to which they have *READ
authority
• User storage is broken down by SYSBAS and iASPs
-- How much storage has user SCOTTF consumed?
SELECT * FROM QSYS2.USER_STORAGE
WHERE USER_NAME = ‘SCOTTF’;
QSYS2.USER_STORAGE – view
© 2016 IBM Corporation
46
IBM i テクニカル・ワークショップ 2016
-- Review the top 10 storage consumers
SELECT A.AUTHORIZATION_NAME AS USER_NAME, SUM(A.STORAGE_USED) AS TOTAL_STORAGE_USED, B.MAXIMUM_ALLOWED_STORAGE
FROM QSYS2.USER_STORAGE A INNER JOIN QSYS2.USER_INFO B ON B.USER_NAME = A.AUTHORIZATION_NAMEWHERE ACCOUNTING_CODE <> ‘*SYS’
GROUP BY A.AUTHORIZATION_NAME, B.TEXT_DESCRIPTION,B.ACCOUNTING_CODE, B.MAXIMUM_ALLOWED_STORAGE
ORDER BY TOTAL_STORAGE_USED DESC LIMIT 10
QSYS2.USER_STORAGE – view
'
© 2016 IBM Corporation
49
IBM i テクニカル・ワークショップ 2016
• Observe System-wide Temporary storage consumption
• Read all about it in IBM Knowledge Center:
www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzajq/rzajqviewsys
tmpstg.htm
-- Which active jobs are the top consumers of temp storage?
SELECT bucket_current_size, bucket_peak_size,
rtrim(job_number) concat '/' concat rtrim(job_user_name) concat '/' concat rtrim(job_name) as q_job_name
FROM QSYS2.SYSTMPSTG
WHERE job_status = '*ACTIVE'
ORDER BY
bucket_current_size desc;
QSYS2.SYSTMPSTG – view
© 2016 IBM Corporation
50
IBM i テクニカル・ワークショップ 2016
Client/server identification, logging and other instrumentation is possible
using SQL. The TCPIP_INFO view returns detailed information for the
current connection.
SELECT * from QSYS2.TCPIP_INFO
Well defined port numbers - http://bit.ly/ibmiPorts
QSYS2.TCPIP_INFO – view
© 2016 IBM Corporation
52
IBM i テクニカル・ワークショップ 2016
QSYS2. ENVIRONMENT_VARIABLE_INFO –View
• The Work with Environment Variable (WRKENVVAR)
command lacks OUTFILE support,
• The command doesn’t return PASE environment variables
---- Retrieve the environment variables for the-- current connection--SELECT * FROM QSYS2.ENVIRONMENT_VARIABLE_INFO;
© 2016 IBM Corporation
53
IBM i テクニカル・ワークショップ 2016
• The Work with Environment Variable (WRKENVVAR) command
lacks OUTFILE support, doesn’t return PASE environment
variable
• This service also returns binary versions of the environment variable
names and values
---- Retrieve the environment variables for the-- current connection--SELECT * FROM QSYS2.ENVIRONMENT_VARIABLE_INFO;
© 2016 IBM Corporation
54
IBM i テクニカル・ワークショップ 2016
• Now you can use SQL to query the job log
• Each row returned is a message from the job log.
• A single parameter indicates the target job
• ‘*’ can be used to indicate use the current job as the target
Find the most recently executed command in a target job
SELECT MESSAGE_TEXT FROM
TABLE(QSYS2.JOBLOG_INFO('706721/SCOTTF/QPADEV0006'))
A
WHERE A.MESSAGE_TYPE = 'REQUEST'
ORDER BY ORDINAL_POSITION DESC
FETCH FIRST 1 ROW ONLY
QSYS2.JOBLOG_INFO – UDTF
© 2016 IBM Corporation
56
IBM i テクニカル・ワークショップ 2016
• Work with Output Queue (WRKOUTQ) command lacks OUTFILE support
-- Return details about the output queues with the -- most filesWITH outqs_manyfiles ( libname, queuename )
AS (SELECT OUTPUT_QUEUE_LIBRARY_NAME, OUTPUT_QUEUE_NAMEFROM QSYS2.OUTPUT_QUEUE_INFOORDER BY NUMBER_OF_FILES DESCFETCH FIRST 5 ROWS ONLY)
SELECT libname, queuename, create_timestamp, spooled_file_name, user_name, total_pages, size
FROM outqs_manyfiles INNER JOIN QSYS2.OUTPUT_QUEUE_ENTRIES ON queuename=OUTPUT_QUEUE_NAME AND libname=OUTPUT_QUEUE_LIBRARY_NAME ORDER BY TOTAL_PAGES DESC
QSYS2.OUTPUT_QUEUE_INFO – View
© 2016 IBM Corporation
57
IBM i テクニカル・ワークショップ 2016
• The Work with TCP/IP Network Status (NETSTAT) command
lacks OUTFILE support
• Combined information for NETSTAT command options 3 & 6
---- Review the 10 connections that are -- transferring the most data--SELECT * FROM QSYS2.NETSTAT_INFOORDER BY BYTES_SENT_REMOTELY + BYTES_RECEIVED_LOCALLY DESCFETCH FIRST 10 ROWS ONLY
QSYS2.NETSTAT_INFO – View
© 2016 IBM Corporation
58
IBM i テクニカル・ワークショップ 2016
• Invoke this UDTF to reset statistics (baseline) to capture the elapsed
performance information
-- Establish a baseline for elapsed performance detailSELECT * FROM TABLE(QSYS2.SYSTEM_STATUS(RESTART_STATISTICS => ‘YES’)) X
---- Review the elapsed performance detail--SELECT HOST_NAME, ELAPSED_TIME, ELAPSED_CPU_USED,ELAPSED_CPU_SHARED, ELAPSED_CPU_UNCAPPED_CAPACITYFROM QSYS2.SYSTEM_STATUS_INFO
QSYS2.SYSTEM_STATUS – View and UDTF
© 2016 IBM Corporation
59
IBM i テクニカル・ワークショップ 2016
Works within any language
<?php …
$stmt = db2_prepare($dbc, "call UpdatePersonnel(?,?,?)");
$starttime = date("Y-m-d-H.i.s.u");
$result = db2_execute($stmt, array(1,
150000));
if(!$result) { // failure!
$result = db2_exec($dbc, "select * from table(qsys2.joblog_info('*')) x where x.message_timestamp > '$starttime'");
while($row = db2_fetch_assoc($result)) {
// save for later diagnostics, send email
// to admin, etc
}
}
?>
Click to edit Master subtitle style
© 2016 IBM Corporation
IBM i テクニカル・ワークショップ 2016
DB2 Security Enhancements
© 2016 IBM Corporation
61
IBM i テクニカル・ワークショップ 2016
Catalogs
QSYS2/SYSCONTROLS
QSYS2/SYSCONTROLSDEP
Journal Entries
For journal code D - Database file:
M1, M2, M3 for create/drop/alter mask
P1, P2, P3 for create/drop/alter permission
For journal code T – Audit trail:
AX for Row and Column Access Control
X2 for Query manager profile changes
Operating System Option
IBM Advanced Data Security for i
(5770SS1 - Option 47)
No Charge
SQL Statements
CREATE PERMISSION
ALTER PERMISSION
CREATE MASK
ALTER MASK
ALTER TRIGGER
TRANSFER OWNERSHIPNew tools in the toolbox…
Built-in Function
VERIFY_GROUP_FOR_USER()
Function Usage ID
QIBM_DB_SECADM
DB2 for i – Security Enhancements in IBM i 7.2
© 2016 IBM Corporation
62
IBM i テクニカル・ワークショップ 2016
1. Application-centric security
– Application layer provides
custom data protection &
tracking
2. Data-centric security
– Separation of duties
– Database enforced rules
3. Physical security
– Encryption hardware
Risk By Type of User
62
Technology Options for data security
© 2016 IBM Corporation
63
IBM i テクニカル・ワークショップ 2016
DB2 for i Data Security options go well beyond the data model.
Open Database File (QIBM_QDB_OPEN) exit program is called when
a when a job is opening a database file. Use this interface to deploy
blocking and more.
Query Governor protects against over consumption of CPU or Storage
http://www-
01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/apis/xq
rygovr.htm
IBM i Function usage IDs provide a granular role based security
authorization (allow or deny) based upon users or groups.
https://www.ibm.com/developerworks/community/wikis/home?lang=es#!
/wiki/IBM%20i%20Technology%20Updates/page/DB2%20for%20i%20S
ecurity%20Enhancements
IBM i has exit programs for connection interfaces and commands.
The exit program can block or log or more.
DB2 for i – Blocking access
© 2016 IBM Corporation
64
IBM i テクニカル・ワークショップ 2016
Separation of Duty
© 2016 IBM Corporation
65
IBM i テクニカル・ワークショップ 2016
Before 7.2
In order to grant or revoke privileges, a user must have one of the following:
1. Object ownership
2. Object management (*OBJMGT) authority for the specified object
3. All object (*ALLOBJ) user special authority
Problem: If you can grant the SELECT privilege, you are also allowed to query the data
With IBM i 7.2 and 7.3
A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have the SELECT privilege.
Note that:
• Audit the SECADM users for *SECURITY actions
• Only someone *SECADM authority can grant the security administrator function usage
Separation of duties
© 2016 IBM Corporation
66
IBM i テクニカル・ワークショップ 2016
• MARYSEC – A Security Officer responsible for granting and revoking security, including data security
CRTUSRPRF USRPRF(MARYSEC) PASSWORD(xxxxxxxx) USRCLS(*SECADM) TEXT('Security Officer')
GRTOBJAUT OBJ(<data-libraries>) OBJTYPE(*LIB)USER(MARYSEC) AUT(*USE)
CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(MARYSEC) USAGE(*ALLOWED)
Note… no
*ALLOBJ user
special
authority
Separation of duty – example
© 2016 IBM Corporation
67
IBM i テクニカル・ワークショップ 2016
• Use QIBM_DB_SECADM as a alternative authorization technique
• Other aspects of managing security don’t have this alternative authorization method for security officers
Commands:
CHGOBJOWN
CHGOBJPGP
GRTOBJAUT
RVKOBJAUT
EDTOBJAUT
DSPOBJAUT
WRKOBJ
WRKLIB
ADDAUTLE
CHGAUTLE
RMVAUTLE
RTVAUTLE
DSPAUTL
DSPAUTLOBJ
EDTAUTL
WRKAUTL
APIs: (also used by Navigator)qsyrtvua - retrieve users authorized to an objectqsylusra - list users authorized to an objectqsylatlo - list objects secured by an autlqsyrautu - retrieve users authorized to an objectqsylautu - list authorized usersqsyrusri - retrieve user informationquslobj - list objectsqgyolobj - open list of objects
MARYSEC can manage security
(and more) with just QIBM_DB_SECADM
Separation of duty – example
© 2016 IBM Corporation
70
IBM i テクニカル・ワークショップ 2016
RCAC Basics
© 2016 IBM Corporation
71
IBM i テクニカル・ワークショップ 2016
71
What is RCAC?
• Additional layer of data security
available with DB2
• Complementary to table
level security
• Subsetting access to only the
required data for a task
• Controls access to a table at the
row, column, or both
• Two sets of rules
– Permissions for rows
– Masks for columns
• IBM Advanced Data Security for i
– No-charge feature - Option 47
IBM Advanced Data Security for i
(Boss option 47)
No Charge
© 2016 IBM Corporation
72
IBM i テクニカル・ワークショップ 2016
72
Row and Column Access ControlCREATE MASK SSN_MASK ON EMPLOYEE
FOR COLUMN SSN RETURNCASE
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)THEN SSN
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)
ELSE NULLEND
ENABLE;
ALTER TABLE EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;
CREATE PERMISSION NETHMO.ROW_ACCESS ON HOSPITAL.PATIENTFOR ROWS WHERE(VERIFY_GROUP_FOR_USER(SESSION_USER,'PATIENT') = 1 AND
HOSPITAL.PATIENT.USERID = SESSION_USER) OR(VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 ANDHOSPITAL.PATIENT.PCP_ID = SESSION_USER) OR
(VERIFY_GROUP_FOR_USER(SESSION_USER,'MEMBERSHIP') = 1 ORVERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING') = 1 ORVERIFY_GROUP_FOR_USER(SESSION_USER,'DRUG_RESEARCH') = 1) ENFORCED FOR ALL ACCESS
ENABLE;
ALTER TABLE HOSPITAL.PATIENTACTIVATE ROW ACCESS CONTROL;
Column
Payroll – Entire number
Manager – xxxxxx1234
Else - NULL
View Row if Patient
View Row if Accounting
View Row if Drug_Research
http://www.redbooks.ibm.com/abstracts/redp5110.html?Open
© 2016 IBM Corporation
73
IBM i テクニカル・ワークショップ 2016
Base Table The table (physical file) containing business critical data.
Dependent Object Any object (file, schema, function, or other object) the
permission or mask references.
Permission A row permission defines a row access control rule for
rows of a table by setting an SQL search condition that
describes the set of rows a user can access.
0 to many permissions allowed per table
Mask A column mask defines a column access control rule for a
specific column in a table by using an SQL CASE
expression that describes what column values a user is
permitted to see and under what conditions.
0 or 1 masks allowed per column
RULETEXT The expression to be used by the permission (WHERE
clause predicates) or mask (selection CASE expression)
RCAC Terminology
© 2016 IBM Corporation
74
IBM i テクニカル・ワークショップ 2016
Data access authorization precedence rules
© 2016 IBM Corporation
75
IBM i テクニカル・ワークショップ 2016
CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION
ON HOSPITAL.PATIENT_TABLE
FOR ROWS
WHERE((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 AND
HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER) OR
VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1 OR
VERIFY_GROUP_FOR_USER(SESSION_USER,‘RESGROUP') = 1) ENFORCED FOR ALL ACCESS ENABLE;
ALTER TABLE HOSPITAL.PATIENT_TABLE ACTIVATE ROW ACCESS CONTROL;
• Logically, the table begins as an empty table, with permissions
providing access to specific rows
• 1n permissions are UNION’ed together
• No ordering considerations, but might have indexing implications
• Usually based upon identity, but can contain other rules
Row Permissions
© 2016 IBM Corporation
76
IBM i テクニカル・ワークショップ 2016
CREATE MASK SSN_MASK ON EMPLOYEEFOR COLUMN SSN RETURNCASEWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSNWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT RIGHT(SSN,4)ELSE NULLEND ENABLE;
ALTER TABLE EMPLOYEE ACTIVATE COLUMN ACCESS CONTROL;
• CASE statement evaluated in order until WHEN expression
evaluates to TRUE
• Applied when the column appears in the SELECT list
• Has no impact on selection (WHERE)
• Case logic is usually based upon identity, but can contain other rules
Column Masks
© 2016 IBM Corporation
77
IBM i テクニカル・ワークショップ 2016
Column masking example:
CREATE OR REPLACE MASK SSN_MASK ON TOYSTORE2.EMPLOYEE FOR COLUMN SSN
RETURN CASEWHEN (QSYS2.JOB_NAME LIKE '%QZDAS%INIT')
THEN 'XXX-XX-' CONCAT RIGHT(SSN,4)
ELSE SSN END ENABLE;
ALTER TABLE TOYSTORE2.EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;
SELECT LASTNAME, EMPNO, SSN FROM TOYSTORE2.EMPLOYEE ORDER BY 1;
Protect sensitive data
using Built-in Global
Variables
RCAC and Built-in Global Variables
© 2016 IBM Corporation
81
IBM i テクニカル・ワークショップ 2016
• Function invocations are allowed within RCAC rules and provide the ability to
create more complex and modularized RCAC rule text logic
• The security officer must review and approve the function
• Use functions to easily change RULETEXT in production
• Functions must be created or altered to have the SECURED attribute.
• If a function is not secure, the permission or mask cannot be enabled
> ALTER PERMISSION employee_perm1 ENABLE
RCAC and Functions
© 2016 IBM Corporation
82
IBM i テクニカル・ワークショップ 2016
ALTER TRIGGER
• Triggers over files with active RCAC must be identified as SECUREDALTER TRIGGER Employee_Insert_Trigger <SECURED | NOT SECURED>
• Alternative to CL command for enabling / disabling triggersALTER TRIGGER Employee_Insert_Trigger <ENABLE | DISABLE>
• Operations can be run under commitment control and rolled back
ALTER FUNCTION
• Data change operations with functions executed over files with
active RCAC must be identified as SECURED
ALTER FUNCTION Return_Name_Function <SECURED | NOT SECURED>
Only the QIBM_DB_SECADM user
can mark a trigger or function
as SECURED
Alter statement enhancements
© 2016 IBM Corporation
83
IBM i テクニカル・ワークショップ 2016
RCAC – IBM i FAQ
© 2016 IBM Corporation
84
IBM i テクニカル・ワークショップ 2016
How do I determine if RCAC is enabled for a file?
• DSPOBJAUT command (only appears if you have QIBM_DB_SECADM)
• Query new QSYS2/SYSCONTROLS catalog
• System i Navigator
Other considerations
© 2016 IBM Corporation
85
IBM i テクニカル・ワークショップ 2016
• To understand whether RCAC is applied on SQL statements
1. SQL Performance Monitor (Database Monitor)
2. Visual Explain
SQL Performance Monitor analysis via Navigator
• Add the ‘Row and Column Access’ column to your dialog
Database Monitor
• Reference the QFC15 column where QQRID=1000
Queries
© 2016 IBM Corporation
86
IBM i テクニカル・ワークショップ 2016
• "Access Control" is in the "Additional Information about
SQL" section. It will be set to Row, Column, Row and
Column, or None
• Row permissions are also noted in the attribute section of
predicates for those nodes that have a + sign that can be
expanded to show the predicates.
• Column masks show up by name only (not the whole mask
definition) in the statement text for a node
Visual Explain
© 2016 IBM Corporation
87
IBM i テクニカル・ワークショップ 2016
• Create Duplicate Object (CRTDUPOBJ) &
Copy Library (CPYLIB) command
– Duplicate access control (ACCCTL) - new parameter for RCAC
– ACCCTL defaults to include all RCAC controls
– Command will fail if directed to copy data and to remove enabled RCAC
– When access control is duplicated, must abide by RCAC restrictions
• Copy File (CPYF) &
Copy To Import File (CPYTOIMPF) commands
– No duplicate access control parameter
– RCAC is applied prior to copying the file
– No warning or failure is indicated when RCAC is
applied on the copy.
– Beware, you could end up
with fewer rows and/or masked columns values
Copying files
© 2016 IBM Corporation
88
IBM i テクニカル・ワークショップ 2016
Themes
• Easier and more powerful application development
• Better performance
• Leverage DB2 for more scenarios
• Secure your data
© 2016 IBM Corporation
89
IBM i テクニカル・ワークショップ 2016
www.ibm.com/developerworks/ibmi/techupdates/db2