Protection of host variable values reported by Apptune

SAF resource definitions

Use SAF resource definitions to redact the host variable values in records retrieved from the Apptune Data Collector. This is based on the resource name and the entity established at the installation to control the access to the Apptune host variable content. If no such entity exists or the requesting user has READ access for the entity, then the user can display host variable values. If an entity exists and the requesting user does not have READ access, then the host variable values are redacted and displayed as asterisks (********), followed by the term "(redacted)".

The default resource class name is FACILITY.

Use the following format to define the entity name:

<prefix>.APPTUNE.<db2ssid>.DB2HVAR.OD
where <prefix> defaults to “BBM” and can be overridden as described below, and <db2ssid> is a Db2 subsystem id, or * to apply to all subsystem ids that do not have a specific entity defined.

Use the following procedure to override the resource name, entity name prefix or both:

• To check for host variable value access, set up a BBSEC member in your system parmlib concatenation. 

  Warning

  Important

   Any change to the BBSEC definition requires a DOM,REFRESH to take effect.

• The control statement in the BBSEC member should be coded as:
  
  • TYPE=DB2HVAR,CLASS=<resource class name>,PREFIX=<prefix>

    Warning

    Important

    If the control statement is included, CLASS is optional (default is $BOOLE) and PREFIX is optional (default is BBM).

The method of setting host variable resource class name and entity prefix is shared between Apptune and BMC AMI Ops Monitor for Db2
.

Since Apptune does not require a PAS or utilize BBIPARM, the BBSEC member must be in the logical SYS1.PARMLIB library. If you provide a BBSEC member with the following control statement:

And, you want to control host variable value display for subsystem DB2A, issue the following under RACF:

You can then permit READ access to this entity for users who are allowed to view host variable values on DB2A.

You can use wild cards to set up default access for a wide range of contexts, such as * for the product name to cover Apptune and BMC AMI Ops Monitor for Db2
, and * for the Db2 subsystem id to cover all subsystems.

Dataset protection for host variable log files and archive files

In the DOMPLEX option set that determines output groups, use the following procedure to set up an output group dedicated to host variable content:

• Configure an output group with the HOSTVAR data class. This will receive Apptune records and Db2 trace records that contain host variable values. The specification of HOSTVAR data class is mutually exclusive with specification of any other data classes for the output group.
• Under NGL LOGSET Parameters for the output class, specify an LDS DSN prefix and Archive DSN prefix to identify the log files and archive files created for this purpose. 
• Optionally, you may choose to disable archiving for the output group.
• Use the same prefixes to establish the dataset protection to prevent unauthorized users reading unredacted records with this content. 

When an Apptune record with host variable content is written, if no output group receiving the HOSTVAR data class exists, then the record is written to an output group receiving the APSTMT class. Db2 trace records in this situation would go to the DB2PERF class. If you protect APSTMT or DB2PERF datasets, it will prevent the ability to read other records belonging to that class that do not contain host variable content. So, usage of the HOSTVAR data class provides the granularity to protect host variable values at a higher level than other data.

The user id assigned to the DBC started task hosting Apptune must have full access to all output group files. If you have added dataset security for HOSTVAR log files, Apptune must be allowed to update and read those files, such that the records can still be written to the log files and retrieved for any requesting user. Such records would be subject to redaction using SAF resource definitions method. If you have added dataset security for HOSTVAR archive files, then any user that wants to generate an Apptune report using an archive or dataset source or via DOMBARC or TRACEIN DD statement would need read access to retrieve the records. If read access is not allowed for any archive due to dataset protection, then no records are provided for reporting from that archive. When using the Archive source or DOMBARC DD statement, the non-permitted archives are skipped while permitted archives are still accessed. For example, an Apptune report showing SQL text and host variables would still show SQL text if only the HOSTVAR archives are restricted

For an Apptune user retrieving from the log files using the Data Collector source, records are returned and may be redacted. If redacted, the user can see the number of host variables, the data types and lengths, but not the values. In the case of retrieval of records from an archive for Apptune reporting, the user must have read access, and the content is not subject to redaction.