IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Add a new idea Subscribe
Status Not under consideration
Workspace Db2 for z/OS
Created by Guest
Created on Jul 19, 2019

RELATED IDEAS

Create an API for IFI reads (306) so Log-Reading Software does NOT need to be APF-Authorized

Like a lot of shops, we replicate a lot of our Enterprise data from our programmatic Db2 for z/OS environment to other Db2s and other off-platform DBMSes for MI and analytics, and for high availability.

IIDR now provides the ability to do this via a "Remote Capture Engine", which drives stored procedures on the mainframe to read Db2's logs via IFI306, eliminating the need to spend mainframe cycles or memory on actually processing replication activities...this is now done on a "commodity" server.

The problem with this is that the IIDR group has chosen to deploy these stored procedures that call IFI306 to the z/OS platform via SSH. And because the IFI306 read requires that the code be APF-authorized, this means IBM wants us to allow IIDR to load modules DIRECTLY into an APF-authorized library via SSH.

Code loaded into an APF-authorized library has the ability, if link-edited with AC=1, to issue ANY privileged instruction on the z/OS operating system, including loading PSWs, changing storage keys/masks, or starting IO/subchannel programs. A bad-actor skilled in Assembler programming could potentially inject high-risk code into a z/OS system via SSH with little auditability, potentially compromising the security of the z/OS platform.

Solution:

The only reason the target library needs to be APF-authorized for this deployment is because the IFI 306 call to DB2 needs to run APF-authorized. So a potential solution would be to deploy an API within Db2 itself, placing the APF-portion of the code in the Db2 SDSNLOAD as part of the Db2 product.

  • Guest
    Reply
    |     Feb 4, 2021

    I agree, it would be much better if DB2 managed all the aspects of what needed to be authorized so clients did not have to manage ECSA or 64 bit memory as we do today. It would make it easier to develop on the zOS DB2 platform to get DB2 information from commands and to read the logs for any number of reasons. I've been doing this type of development since 1994 and it has never been optimal. There should be no need to write an ESTAEX to capture an abend and the release storage. It works once you get it right but if you are not a HLASM expert it can get rough.

  • Admin
    Janet Figone
    Reply
    |     Dec 17, 2020

    Thank you for submitting this product enhancement request. The Db2 for z/OS development team reviewd it and determined it is a good idea, but because it does not align with the functionality prioritized for delivery within the next 24 months, we are unfortunately going to decline this at this time.

    Sincerely,

    The Db2 for z/OS team

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.