Separate fenced user Id support in NSE

Content

Net Search Extender requires a fenced user account for running its user-defined functions (UDFs) and stored procedures outside of the address (memory) space used by the DB2 UDB engine. When the fenced ID is different from instance owner ID, the user does not have the required permission on the NSE index directories. Therefore, if the fenced ID is not the same as DB2 instance owner id (determined by the ownership of the file ~/sqllib/adm/.fenced), NSE would fail in the earlier releases. Due to security reasons, DB2 recommends not to use the instance owner account for the fenced user account.

The solution implemented in NSE V9.7 FP4 and V9.5 FP8 onwards, removes the above NSE restriction of having fenced ID to be the same as DB2® instance owner ID. This fix requires a common group which is to be added as secondary group for both the instance owner and fenced user.

For example: if 'instance owner' is 'db2inst1 (user name)' and 'fenced user' is 'db2fenc1 (user name)', create a new group (say 'video' as in the example below) and make this group the secondary group of both the instance owner and that of the fenced user.

It can be verified with the below steps:

>id db2inst1
uid=44049(db2inst1) gid=204(search) groups=33(video)


>id db2fenc1
uid=44048(db2fenc1) gid=100(users) groups=33(video)


Additional information relevant for this fix;

1. If instance owner and fenced user are different and do not share a common secondary group, db2text start will issue the following warning message :
   CTE0360 "No common secondary group exists for fenced user and instance owner".
   
   
2. All the following administrative commands can be executed only by the instance owner - ENABLE DATABASE, DISABLE DATABASE, CREATE INDEX, UPDATE INDEX, ALTER INDEX, DROP INDEX, ACTIVATE CACHE, DEACTIVATE CACHE, RESET PENDING, CLEAR EVENTS, DB2EXTTH and HELP.
   
   
3. On HP-UX after migrating to V97 FP4 release, the thesaurus definition file needs to be re-compiled for thesaurus searches to work.
   
4. No external files are copied or contained in NSE index directory other than NSE index files.
   
   
5. The fenced user should have access to index files and thesaurus files.
   NOTE: secondary group addition is meant to achieve this. Make sure the umask restrictions must allow for group read and write access for the fenced user. Hence its desired umask should be set to 0002
   
   
6. In case of upgrading from NSE v97 fp3 to v97 fp4 and v95 fp7 to v95 fp8, you need to alter the index directory for STP searches to work properly. (If it is desired to keep the index directory same as before, the same directory can be used in the alter index command).
   
   If schema1.i1 is the index name and /home/user1/sqllib/db2ext/indexes is the index directory.
   Then alter the index as follows.
   
   db2text ALTER INDEX schema1.i1 FOR TEXT INDEX DIRECTORY /home/user1/sqllib/db2ext/indexes
   
   
7. With this fix, the routines NUMBER_DOCS and REORG_SUGGESTED will not be operational in a partitioned environment.
   
   
8. Link to the relevant Tech notes on this issue:
   
   i) http://www.ibm.com/support/docview.wss?uid=swg21142173
   ii) http://www.ibm.com/support/docview.wss?uid=swg21226272