CA Repository WebStation Option and DBXCHECKEXTSEC External Security

Document ID : KB000054451
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The DBXCHECKEXTSEC stored procedure external name 'DBXSSF' is called when a user logs into CA Repository WebStation Option. This stored procedure retrieves the resource class name and prefix (SSFCLASS + SSFFAC) from the DBX_SYSTEM table. The procedure then interfaces with the CAISSF macro which calls your External Security product to verify the class definition and permissions. If access is denied, the DBX_SEC_PROF table is not populated which results in the message "The User is not Authorized to View any Search Objects and Topics". After further review of the class definition in your ESM you verify that everything is defined properly and the user(s) intended have the proper authority to the class. So why are you still getting this message?

Solution:

By default, when the DBXCHECKEXTSEC stored procedure is creating during the Repository Installation, it is created with the SECURITY - DB2 option. This implies that access is performed using the Authorization ID associated with the stored procedure Address space. Therefore, the WLM started task ID requires CONTROL authority for the class.
Ex.

CREATE PROCEDURE repowner.DBXCHECKEXTSEC
                  (IN CHAR(1),          
                   OUT INTEGER,         
                   OUT INTEGER,         
                   OUT VARCHAR(70))     
DYNAMIC RESULT SET 0                    
      EXTERNAL NAME 'DBXSSF'            
LANGUAGE ASSEMBLE                       
PARAMETER STYLE GENERAL                 
MODIFIES SQL DATA                       
NO DBINFO                               
COLLID LT71RB_PACK                      
WLM ENVIRONMENT (M81AWLM3,*)            
STAY RESIDENT YES                       
PROGRAM TYPE SUB                        
SECURITY DB2              <<<<<<<<<<<<<<<<<<<<<                       
RUN OPTIONS 'ERRCOUNT(0)'               
COMMIT ON RETURN YES                    
CALLED ON NULL INPUT                    
;

As an alternative, you can switch to the SECURITY - USER option. This implies that access is performed using the Authorization ID of the user who invoked the stored procedure. To switch to the SECURITY - USER option the procedure can be dropped and recreated with this option, or an ALTER PROCEDURE command can be issued.

Ex.
(note. This is for demonstration purposes only. Please generate the DDL for the procedure out of the Repository Installation Panel by selecting Option #7 for CREATE.
Then do a find on DBXCHECKEXTSEC)

DROP PROCEDURE repowner.DBXCHECKEXTSEC;
COMMIT;
CREATE PROCEDURE repowner.DBXCHECKEXTSEC
                  (IN CHAR(1),          
                   OUT INTEGER,         
                   OUT INTEGER,         
                   OUT VARCHAR(70))     
DYNAMIC RESULT SET 0                    
      EXTERNAL NAME 'DBXSSF'            
LANGUAGE ASSEMBLE                       
PARAMETER STYLE GENERAL                 
MODIFIES SQL DATA                       
NO DBINFO                               
COLLID LT71RB_PACK                      
WLM ENVIRONMENT (M81AWLM3,*)            
STAY RESIDENT YES                       
PROGRAM TYPE SUB                        
SECURITY USER                                     
RUN OPTIONS 'ERRCOUNT(0)'               
COMMIT ON RETURN YES                    
CALLED ON NULL INPUT                    
;
Or one can issue a ALTER procedure statement
ALTER PROCEDURE repowner.DBXCHECKEXTSEC
SECURITY USER;                          
COMMIT;

After the procedure has been recreated or Altered, it is recommended that WLM is refreshed and that the stored procedure is stopped and restarted in DB2.