How to resolve this Query Optimization issue?

Query Optimization Issue:

Assume that a query is executing by a application developer or a client. The query has all the indexes on the columns which are required and performed well upto certain time, suddenly got complaints about the same query that it is not performing well taking too much time to retrieve. Please leave your valuable comments how you people can resolve this issue.

Read more

Share views to resolve the below reorg issue

Read more

Difference between Online Reorg and Offline Reorg in DB2

Online reorg vs Offline reorg:

Offline or Classical Reorg:

So many people think that Offline reorg quiesces the database, so no applications are able to connect or access the tables. But while performing offline reorg applications can access tables, but they have limited access. Read access only at the time of SORT and BUILD phases.

Read more

What are the different phases of Online & Offline Reorg in DB2 ?

Different Phases of Reorg:

Basically Reorg sorts the data using index scan or table scan and moves the records from one page to a previous page which has some free space due to deletion of rows from a table to reclaim the space.

There are "TWO" types of reorgs:

• ==> Offline reorg or Classic reorg
• ==> Online reorg or Inplace reorg

Each reorg type consists of different phases of execution.

Read more

What are the DB2 LUW DBA daily activities?

DB2 DBA Daily Activities:

Daily Activities:

• ==> Verify all the instances and databases are running.
• ==> Check the backup status of the databases.
• ==> Check the archiving of database logs.
• ==> Verify the pruning of database backups and archival logs.
• ==> Check the status of Reorg/Runstats jobs if you have enabled.
• ==> Check the db2 diagnostic logs and notification logs.
• ==> Check the size/status of each mount database server is using.

Read more

How to take data Online Backup in DB2?

Data Backups in DB2

Offline Backup:

Offline backup means we can take the data when there are no connections from the applications to the database. No need to configure any database configuration parameter such as LOGARCHMETH1, LOGARCHMETH2 etc..

Read more

How to replicate instance configuration parameters in DB2?

db2cfexp – Connectivity Confg Export tool command

It'll export the database manager and all the instance level configuration, registry variables, node details, database details including remote databases and protocol information details into an external file.

Read more

DB2 Important Commands

Commands for DB2 DBA

Read more

How to setup logical data partitioning in DB2?

How to setup Logical Data Partition Step by Step:

What is Data Partitioning:

Present days databases and data warehouses become larger, this is somewhat complicated to maintain growth of the database. To avoid this and to manage the growth of the data IBM introduce the concept called "Database Partitioning Feature", "Table Partitioning" and Multi Dimensional Clustering". 

In this article we are going look at "Database Partitioning Feature".

Read more

Data concurrency in DB2 deep dive

DB2 concurrency basics

In a multi-user database environment, transactions are usually executed simultaneously. Each transaction has the potential to interfere with any other transaction that is running. Without any appropriate locking mechanism, the following undesirable effects may occur:

Lost updates: Two applications, A and B, might both read the same row from the database, and both calculate new values for one of its columns based on the data these applications read. If A updates the row with its new value and B then also updates the row, the update performed by A is lost.

Read more

Overview of LOCK ISSUES in DB2

In this post we are going to discuss about three main lock issues:

•        > Lock Escalations
•        > Lock Waits
•        > DeadLocks

Lock Escalations:

How many of you know that locks will also use memory? Yes they uses a a certain amount of memory and CPU. Sometimes there may be many row level locks present on a single table. So it may lead to more usage of memory and CPU. This this kind of scenarios DB2 automatically acquire a table level lock by replacing all the row level locks to free up the lock memory. This is know as "Lock Escalation".

Read more

How to Identify the version and service level of DB2 product?

To know the DB2 product version and service level we can use "db2level".
The output of the "db2level" command will be as below.

The combination of the four informational tokens uniquely identify the precise service level of your DB2 instance. This information is essential when contacting IBM Software Support for assistance.

For JDBC or SQLJ applications, if you are using the IBM DB2 Driver for SQLJ and JDBC, you can determine the level of the driver by running the db2jcc utility:

db2jcc -version
IBM DB2 JDBC Driver Architecture 2.3.63

Read more

Troubleshooting tools for Performance Tuning: Analyzing db2diag log files using db2diag tool

Primary log files are for the use of database and administration notification log are for system administrators. The db2diag log files are for the use of IBM Software Support for troubleshooting.

Even administration notification log messages are also logged to the db2diag log files.

The db2diag tool serves to filter and format the volume of information available in the db2diag log files. Filtering db2diag log file records can reduce the time required to locate the records needed when troubleshooting problems.

Read more

Troubleshooting tools for Performance Tuning: DB2DART

Overview of the db2dart tool

The main tool that is used to verify the database architecture and the objects that are belonging to a database. The contents of database control files will be displayed to extract data from tables.

db2dart will create a report file with a default name <databaseName>. RPT. The report file will be created in the current directory for a single-partition database. If it is a multiple-partition database file will be created under the diagnostic directory. The subdirectory is called DART<dbpartition number>.

Read more

Checking archive log files with the db2cklog tool

Checking archive log files with the db2cklog tool

Checking archive log files with the db2cklog toolChecking your archive log files ensures that known good log files are available in case a rollforward recovery becomes necessary and that the recovery operation does not fail because of a problem with a log file. The db2cklog tool reads either single log files or a range of numbered log files and performs checks on the internal validity of the files. Log files that pass validation without any error messages or warnings are known good files and you can use them during a rollforward recovery operation. If an archive log file fails validation with an error message or if a warning is returned, then you must not use that log file during rollforward recovery.

Read more

Establishing a performance tuning strategy

The Design Advisor

The DB2 Design Advisor is a tool that can help you significantly improve your workload performance. The task of selecting which indexes, materialized query tables (MQTs), clustering dimensions, or database partitions to create for a complex workload can be daunting. The Design Advisor identifies all of the objects that are needed to improve the performance of your workload.

Given a set of SQL statements in a workload, the Design Advisor generates recommendations for:

Read more

Self-tuning memory in partitioned database environments

There are few factors to determine the self tuning feature will tune the system appropriately in partitioned database environment.

When self-tuning memory is enabled for partitioned databases, a single database partition is designated as the tuning partition, and all memory tuning decisions are based on the memory and workload characteristics of that database partition.

After tuning decisions on that partition are made, the memory adjustments are distributed to the other database partitions to ensure that all database partitions maintain similar configurations.

The single tuning partition model assumes that the feature will be used only when all of the database partitions have similar memory requirements. You have to go through the following cases when determining whether to enable self-tuning memory on your partitioned database.

Read more

How Resource utilization will be done in DB2

Memory allocation

Memory allocation and deallocation occurs at various times. Memory might be allocated to a particular memory area when a specific event occurs (for example, when an application connects), or it might be reallocated in response to a configuration change.

Below figure shows the different memory areas that the database manager allocates for various uses and the configuration parameters that enable you to control the size of these memory areas. Note that in a partitioned database environment, each database partition has its own database manager shared memory set.

Read more

Performance monitoring tools and methodology

Operational monitoring of system performance

Operational monitoring refers to collecting key system performance metrics at periodic intervals over time. This information gives you critical data to refine that initial configuration to be more tailored to your requirements, and also prepares you to address new problems that might appear on their own or following software upgrades, increases in data or user volumes, or new application deployments.

Operational monitoring considerations

A DB2 database (“DB2”) system provides some excellent sources of monitoring data. The primary ones are snapshot monitors and, in DB2 Version 9.5 and later, workload management (WLM) table functions for data aggregation. Both of these focus on summary data, where tools like counters, timers, and histograms maintain running totals of activity in the system. By sampling these monitor elements over time, you can derive the average activity that has taken place between the start and end times, which can be very informative.

There is no reason to limit yourself to just metrics that the DB2 product provides. In fact, data outside of the DB2 software is more than just a nice-to-have. Contextual information is key for performance problem determination. The users, the application, the operating system, the storage subsystem, and the network - all of these can provide valuable information about system performance. Including metrics from outside of the DB2 database software is an important part of producing a complete overall picture of system performance.

Read more

Performance tuning tools and methodology

Benchmark testing:

Benchmark testing is a normal part of the application development life cycle. It is a team effort that involves both application developers and database administrators(DBAs).

Benchmark testing is performed against a system to determine current performance and can be used to improve application performance. If the application code has been written as efficiently as possible, additional performance gains might be realized by tuning database and database manager configuration parameters.

Different types of benchmark tests are used to discover specific kinds of information. For example:

Read more

File Permimission Requirements for the Instance and Database Directories

The DB2 database system requires that your instance and database directories have a minimum level of permissions.

Note: When the instance and database directories are created by the DB2 database manager, the permissions are accurate and should not be changed.

The minimum permissions of the instance directory and the NODE000x/sqldbdir directory on UNIX and Linux machines must be: u=rwx and go=rx. The meaning of the letters is explained in the following table:

Character Represents:
u User (owner)
g Group
o Other users
r Read
w Write
x Execute

For example, the permissions for the instance, db2inst1, in /home are:
drwxr-xr-x 36 db2inst1 db2grp1 4096 Jun 15 11:13 db2inst1

For the directories containing the databases, each and every directory level up to and including NODE000x needs the following permissions:
drwxrwxr-x 11 db2inst1 db2grp1 4096 Jun 14 15:53 NODE0000/

For example, if a database is located in /db2/data/db2inst1/db2inst1/NODE0000 then the directories: /db2, /db2/data, /db2/data/db2inst1, /db2/data/db2inst1/db2inst1 and /db2/data/db2inst1/db2inst1/NODE0000 need drwxrwxr-x.

Within the NODE000x directory, the sqldbdir directory requires the permissions drwxrwxr-x, for example:
drwx------ 5 db2inst1 db2grp1 256         Jun 14 14:17 SAMPLE/
drwxr-x--- 7 db2inst1 db2grp1 4096 Jun 14 13:26 SQL00001/
drwxrwxr-x 2 db2inst1 db2grp1 256         Jun 14 13:02 sqldbdir/

Read more

Security considerations when installing and using the DB2 database manager

Important to the DB2 administrator from the moment the product was installed are Security Considerations.

A user ID, a group name, and a password are required to complete the installation of DB2 database manager. If you install a GUI-based DB2 database manager that only creates default values for different user IDs and the group.  Depending on the OS platform different defaults will be created.

On UNIX and Linux operating systems, if you choose to create a DB2 instance in the instance setup window, the DB2 database install program creates, by default, different users for the DAS (dasusr), the instance owner (db2inst), and the fenced user (db2fenc). Optionally, you can specify different user names The DB2 database install program appends a number from 1-99 to the default user name, until a user ID that does not already exist can be created. For example, if the users db2inst1 and db2inst2 already exist, the DB2 database install program creates the user db2inst3. If a number greater than 10 is used, the character portion of the name is truncated in the default user ID. For example, if the user ID db2fenc9 already exists, the DB2 database install program truncates the c in the user ID, then appends the 10 (db2fen10). Truncation does not occur when the numeric value is appended to the default DAS user (for example, dasusr24).

On Windows operating systems, the DB2 database install program creates, by default, the user db2admin for the DAS user, the instance owner, and fenced users (you can specify a different user name during setup, if you want). Unlike Linux and UNIX operating systems, no numeric value is appended to the user ID.

For authentication process passwords are very important. If no authentication requirements are set at the operating system level and the database is using the operating system to authenticate users, users will be allowed to connect. For example on Linux and UNIX operating systems, undefined passwords are treated as NULL. In this situation, any user without a defined password will be considered to have a NULL password. From the operating system's perspective, this is a match and the user is validated and able to connect to the database. Use passwords at the operating system level if you want the operating system to do the authentication of users for your database.

When working with partitioned database environments on Linux and UNIX operating systems, the DB2 database manager by default uses the rsh utility (remsh on HP-UX) to run some commands on remote members. The rsh utility transmits passwords in clear text over the network, which can be a security exposure if the DB2 server is not on a secure network. You can use the DB2RSHCMD registry variable to set the remote shell program to a more secure alternative that avoids this exposure. One example of a more secure alternative is ssh.

By default, the installation process grants system administration (SYSADM) privileges to the following users on each operating system:

Linux and UNIX operating systems

1. To a valid DB2 database user name that belongs to the primary group of the instance owner.

Windows environments

1. To members of the local Administrators group.
2. If the DB2 database manager is configured to enumerate groups for users at the location where the users are defined, to members of the Administrators group at the Domain Controller. You use the DB2_GRP_LOOKUP environment variable to configure group enumeration on Windows operating systems.
3. If Windows extended security is enabled, to members of the DB2ADMNS group. The location of the DB2ADMNS group is decided during installation.
4. To the LocalSystem account.

By updating the database manager configuration parameter sysadm_group, the administrator can control which group of users possesses SYSADM privileges.

The administrator should consider creating an instance owner user ID that is easily recognized as being associated with a particular instance.
1. This user ID should have as one of its groups, the name of the SYSADM group created previously.
2. Another recommendation is to use this instance-owner user ID only as a member of the instance owner group and not to use it in any other group.
3. This should control the proliferation of user IDs and groups that can modify the instance.
4. The created user ID must be associated with a password to provide authentication before being permitted entry into the data and databases within the instance.

Read more

Authentication & Authorization process in DB2

Authentication:

The process that verifies user identity at OS level is known as "authentication". The security product can be part of the OS or a separate product.

To authenticate a user security facility requires two items:
1. User ID
2. Password

The user ID identifies the user to the security facility. By supplying the correct password, information known only to the user and the security facility, the user's identity (corresponding to the user ID) is verified.

What will happen after being authenticated:

1. The user must be identified to DB2 using an SQL authorization name or authid.
2. This name can be same as user ID, or a mapped value.
3. A list of groups to which the user belongs is obtained.
4. Group membership may be used when authorizing the user.
5. Groups are security facility entities that must also map to DB2 authorization names. This mapping is done in a method similar to that used for user IDs.

The DB2 database manager uses the security facility to authenticate users in one of two ways:
A successful security system login is used as evidence of identity, and allows:
– Use of local commands to access local data
– Use of remote connections when the server trusts the client authentication.

Successful validation of a user ID and password by the security facility is used as evidence of identity and allows:
– Use of remote connections where the server requires proof of authentication
– Use of operations where the user wants to run a command under an identity other than the identity used for login.

Authorization:

Authorization is performed using DB2 facilities. DB2 tables and configuration files are used to record the permissions associated with each authorization name.

When an authenticated user tries to access data, these recorded permissions are compared with the permissions of:

1. The authorization name of the user
2. The groups to which the user belongs
3. The roles granted to the user directly or indirectly through a group or a role
4. The permissions acquired through a trusted context
5. Based on this comparison, the DB2 server determines whether to allow the requested access.

The types of permissions recorded are privileges, authority levels, and LBAC credentials.

A privilege defines a single permission for an authorization name, enabling a user to create or access database resources. Privileges are stored in the database catalogs.

Authority levels provide a method of grouping privileges and control over database manager operations. Database-specific authorities are stored in the database catalogs; system authorities are associated with group membership, and the group names that are associated with the authority levels are stored in the database manager configuration file for a given instance.

LBAC credentials are LBAC security labels and LBAC rule exemptions that allow access to data protected by label-based access control (LBAC). LBAC credentials are stored in the database catalogs.

Groups provide a convenient means of performing authorization for a collection of users without having to grant or revoke privileges for each user individually.

A role is a database object that groups together one or more privileges and can be assigned to users, groups, PUBLIC, or other roles by using a GRANT statement or to a trusted context by using a CREATE TRUSTED CONTEXT or ALTER TRUSTED CONTEXT statement. A role can be specified for the SESSION_USER ROLE connection attribute in a workload definition. When you use roles, you associate access permissions on database objects with the roles. Users that are members of those roles then have the privileges defined for the role with which to access database objects.

During an SQL statement processing, the permissions that the DB2 authorization model considers are the union of the following permissions:
1. The permissions granted to the primary authorization ID associated with the SQL statement
2. The permissions granted to the secondary authorization IDs (groups or roles) associated with the SQL statement
3. The permissions granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly through other roles.
4. The permissions granted to the trusted context role, if applicable.

Read more

DB2 Database Security Model

The DB2 database system data and functions have two modes of security controls
1. Authentication (Outside the DB2 database system)
2. Authorization (Managed by database manager)

Authentication: 

1. The process that verifies user identity at OS level is known as "authentication".
2. In this the authentication of user completed by a secure facility outside the DB2 database system         using an authentication security plug-in module.
3. The default authentication will be set when we install the DB2 database system.
4. A DB2 authentication ID will be produced at the time of the authentication process.

Authorization:

1. The database manager will determine the accesses allowed to a user on DB2 data or resources,           after successful completion of user authentication.
2. In this authorization process the DB2 database manager will check that which database operations       that user can perform, and which data objects that the user can access.

The different sources of permissions available to an authorization ID are as follows:

• Primary permissions: those granted to the authorization ID directly.
• Secondary permissions: those granted to the groups and roles in which the
• authorization ID is a member.
• Public permissions: those granted to PUBLIC.
• Context-sensitive permissions: those granted to a trusted context role.

Authorization can be given to users in the following categories:

System-level authorization

The system administrator (SYSADM), system control (SYSCTRL), system maintenance (SYSMAINT), and system monitor (SYSMON) authorities provide varying degrees of control over instance-level functions. Authorities provide a way both to group privileges and to control maintenance and utility operations for instances, databases, and database objects.

Database-level authorization

The security administrator (SECADM), database administrator (DBADM), access control (ACCESSCTRL), data access (DATAACCESS), SQL administrator (SQLADM), workload management administrator (WLMADM), and explain (EXPLAIN) authorities provide control within the database. Other database authorities include LOAD (ability to load data into a table), and CONNECT (ability to connect to a database).

Object-level authorization

Object level authorization involves checking privileges when an operation is performed on an object. For example, to select from a table a user must have SELECT privilege on a table (as a minimum).

Content-based authorization

Views provide a way to control which columns or rows of a table specific users can read. Label-based access control (LBAC) determines which users have read and write access to individual rows and individual columns.

Read more