Understanding DB2: Learning Visually with Examples (2nd Edition)

3.2. Required User IDs and Groups

Figures 3.1 and 3.2 show that you create several user IDs and user groups that DB2 needs to operate when installing DB2. This section discusses the basic requirements of those user IDs and groups, which are different for Windows and Linux/UNIX.

3.2.1. User IDs and Groups Required for Windows

In addition to needing an installation user ID to install the DB2 product on Windows, to operate DB2 you need two other user IDs.

  • The Instance owner owns and controls the DB2 instance.

  • The DB2 Administration Server (DAS) user runs the DB2 administration server service on your system. The DB2 GUI tools also use this ID to perform administration tasks against the local server database instances and databases.

Table 3.2 describes these user IDs in more detail.

Table 3.2. User IDs and Groups for DB2 on Windows

 

Installation User ID

Instance Owner User ID

DAS User ID

Authority of the User ID

A local or domain user account that is part of the administrator group on the server where you are installing DB2.

You can also use the built-in Local System account to run the installation for all products except DB2 UDB Enterprise Server Edition.

If you want to have the DB2 Setup Wizard create a domain user account for the Instance owner or the DAS user, the installation ID must have authority to create domain user accounts.

A local or domain user account that belongs to the administrator group on the server.

A local or domain user account that belongs to the administrator group on the machine.

The built-in Local System account can also be used.

When to Create It

Before installation.

Before installation, or during installation by the DB2 Setup Wizard. Either way, the necessary rights will be granted during the installation process.

Same as Instance Owner User ID.

Rights Granted During Installation

Not applicable.

  • Act as part of the operating system.

  • Debug programs.

  • Create a token object.

  • Increase quotas.

  • Lock pages in memory.

  • Log on as a service.

  • Replace a process-level token.

Same as Instance Owner User ID.

3.2.2. IDs and Groups Required for Linux/UNIX

On Linux/UNIX, you need to log on as a root user to perform DB2 installation. In addition, you need three users and three groups to operate DB2.

  • The DB2 instance Instance owner is created in the instance owner home directory. This user ID controls all DB2 processes and owns all file systems and devices used by the databases contained within the instance.

  • The Fenced user runs fenced user-defined functions (UDFs) and stored procedures. Fenced UDFs and stored procedures execute outside of the address space used by the DB2 instance and therefore cannot interfere with the execution of the instance. If you do not need this level of security, for example, in a test environment, you can use the instance owner as your fenced user.

  • The same as on Windows, the DAS user runs the DB2 Administration Server process on your system. This user ID is also used by the DB2 GUI tools to perform administration tasks against the local server database instances and databases.

  • Three separate user groups must also be created for the Instance Owner, the Fenced User, and the DAS user.

Table 3.3 describes these user IDs and groups in more detail.

Table 3.3. User IDs and Groups Required for Installing DB2 on UNIX Platforms

 

Instance Owner User ID

Fenced User ID

DAS User ID

When to Create It

If the system is running NIS or similar security software, and you plan to create a DB2 instance during the DB2 installation process, then you must create this ID prior to installing DB2. See section 3.2.3, Creating User IDs and Groups if NIS Is Installed in Your Environment (Linux/UNIX Only), for more information.

Otherwise:

  • During installation when using the DB2 Setup Wizard or Silent install.

  • After installation when using the db2_install script or native OS install tool.

Same as Instance Owner User ID.

Same as Instance Owner User ID

Default User ID Created by DB2 Installer

db2inst1

If db2inst1 already exists, the DB2 installer will then search for the user db2inst2. If that user doesn't exist, it will then create that user. If that user does exist, the DB2 installer will continue its search (db2inst3, db2inst4, and so on) until it finds an available user.

db2fenc1

Uses the same algorithm as Instance Owner User ID.

  • db2as (AIX only)

  • dasusr1 (all other Linux/UNIX platforms). Uses the same algorithm as Instance Owner User ID.

Example Primary Group Name

db2iadm1

db2fadm1

dasadm1

Example Secondary Group Name

dasadm1

Not applicable.

db2iadm1

3.2.3. Creating User IDs and Groups if NIS Is Installed in Your Environment (Linux/UNIX Only)

NIS is a secure and robust repository of information about network entities, such as users and servers, which enables the efficient administration of enterprise client/server networks. Administration tasks such as adding, removing, and reassigning systems and users are facilitated by modifying information in NIS. NIS+ is a more mature version of NIS with better support for security issues and very large work groups.

If you have NIS or a similar security component installed on your machine, you must create the users and groups listed in Table 3.3 manually before installing DB2, because the DB2 installation scripts attempt to update objects that are under the control of the security packages. NIS prevents DB2 from doing those updates.

Keep the following restrictions in mind if you are using NIS or NIS+.

  • You must create groups and users on the NIS server before installing DB2.

  • You must add the primary group of the instance owner to the secondary DAS group. Likewise, you must add the primary DAS group to the secondary group for the instance owner.

  • On a DB2 ESE system, before you create an instance, you must create an entry for the instance in the etc/services file. For example, if you want to create an instance for the user db2inst1, you require an entry similar to the following:

    DB2_db2inst1 50000/tcp

NOTE

These considerations hold true for any environment in which an external security program does not allow the DB2 installation or instance creation programs to modify user characteristics.

Категории