Tork Wrench » db2

DB2 Silent Install Error: The return value is “5121″.

Graham — Wed, 20 Oct 2010 01:15:41 +0000

I hit an interesting problem with DB2 yesterday. I’m a big user of the DB2 silent install. This is a system where you run the DB2 install once manually, and it generates a response file for you. Then you can pass the response file to the installer and run unattended installs. This is great if you want to run the install hundreds of times .

One of the great things about how DB2 releases fixpacks is that they are installable. What I mean by this is that you don’t have to install the first version of the software and apply patches to it, you can just apply the patch at the outset.

When testing out DB2 9.7 fixpack 2 on Linux, I hit a weird error:

DBI1191I db2setup is installing and configuring DB2 according to the
response file provided. Please wait.

A minor error occurred while installing "DB2 Enterprise Server Edition " on
this computer. Some features may not function correctly.

For more information see the DB2 installation log at "/tmp/db2setup.log".

It was a bit more like a major error. The DB2 installer could not create the instance user and so could not create the instance. Which means the system is pretty much useless. The following turned up in the db2setup.log:

ERROR: An error occurred while creating the user "dasusr1" for the DB2
Administration Server. The return value is "5121".

ERROR: One or more errors occurred while creating the DB2 Administration
Server. The DB2 Administration Server may not function properly. Create the DB2
Administration Server manually. If the problem persists contact your technical
service representative.

Creating the DB2 Administration Server :.......Failure
Initializing instance list :.......Success
ERROR: One or more errors occurred while committing the changes to the user
"db2inst1". Create or make any changes to this user manually.

What was interesting was the installer would breeze through creating the groups, but baulk on creating the users. The problem turned out to be a mismatch between the algorithm used to encrypt and read back the passwords in the response file. Something changed in the algorithm in DB2 9.7 FP2 and I was using an old response file from the GA version of the code . Both versions are incompatible with each other. You can clearly see the differences below.

9.7 GA, 9.7 FP1 (also works with 9.5) .

INSTANCE = inst1
inst1.TYPE = ese
* Instance-owning user
inst1.NAME = db2inst1
inst1.GROUP_NAME = db2iadm1
inst1.HOME_DIRECTORY = /home/db2inst1
inst1.PASSWORD = 593230133242295434315043707434799413346823001425633741538145032334202723517094195256569
ENCRYPTED = inst1.PASSWORD

9.7 FP2

INSTANCE = inst1
inst1.TYPE = ese
* Instance-owning user
inst1.NAME = db2inst1
inst1.GROUP_NAME = db2iadm1
inst1.HOME_DIRECTORY = /home/db2inst1
inst1.PASSWORD = 333377148682264443740525262714481366605672981260304236138250671067315119230836024976809300232642443192164424364566092461990364794426528249626805585662932723454154505223133504126517289109622925732216931363336627325161387322413424782188354693567389513644491011426236242812854398233823216405116523748602223626725153057401514552431215907582326503484343543245585453652477658337667246270282392750290224467612813561667382216411648317659354574148559364624131307601139423363164272592837646746588233795445379795763335562194101711319501429563041430692347784922133738943433213046652867344146350193523632002344344968434509267453578515230295356956656970264132961230904523543431572425682015412550223268301328365218036730543424740299692654533629583623984282175520182920793232805290462441180635519113425850809653489466271627442347605434565555912103124813084156657044455642051333441444221049349683381306664113266463298589325748192428273032967352323550433224727201724533057720433345083348938615273614458562569435358516301810326296564555483465334307465096045451631234857628833344831302847557863641503469395590956642326285343632674204393455844314984023245416843221521387423661126412838802637787444011204021973003314770152575062831212231440453524156424162067084343531342553063362371223856227524359124365293692843255244177691321435376512151401304564523708552253510965360349256973548902836644206322692286234882874075305008643214554224269807724973657083122573975292329143605222957342981127836380521658560251613836011663326775931421125833685047046413195983740
ENCRYPTED = inst1.PASSWORD

Obviously security has been increased in FP2 because the password hash is so much longer. Please note that it’s not forwards compatible either. What I mean by this is that the newer version of the response file will not work with older versions of the code either.

To conclude, the solution in this case is simple. Rerun the installer that comes with DB2 9.7 FP2 and generate a new response file for use with this version. I looked through the DB2 APARs list trying to find the fix that changed the encryption algorithm, but couldn’t see it.

Cross platform DB2 backup and restore

Graham — Mon, 18 Oct 2010 04:11:40 +0000

DB2 backups are platform specific. Well, pretty much, it’s a bit complicated.

Recently, someone sent me a Windows DB2 backup for me to look at, and I wanted to move it to a Linux machine.

Here’s some steps about how you would do this.

1. On the source machine run:

db2look -e -o database.sql -l -d

where is the name of the database you want to move.

2. Copy the database.sql to your destination machine.

3. Create a database on the destination machine. You can use the same name, or use a different name and edit first connect statement in the database.sql file to point to the new name.

4. If you look at the database.sql, you will notice that the CREATE TABLESPACE commands will have paths in them. This will probably present a problem, since the paths are unlikely to exist on your destination machine. There are a number of ways you could deal with this, but the easiest in my opinion is to just use DB2′s automatic storage feature and let DB2 worry about it. To show you what I mean by this, here is a tablespace definition from my source database script, straight from db2look.

CREATE REGULAR TABLESPACE "ICMLFQ32" IN DATABASE PARTITION GROUP IBMDEFAULTGROUP PAGESIZE 32768 MANAGED BY SYSTEM
USING ('C:\DB2\NODE0000\SQL00001\ICMLFQ32')
EXTENTSIZE 32
PREFETCHSIZE AUTOMATIC
BUFFERPOOL ICMLSMAINBP32
OVERHEAD 7.500000
TRANSFERRATE 0.060000
DROPPED TABLE RECOVERY ON;

You can see that a Unix/Linux DB2 install would puke on the path in there. Using automatic storage command this becomes:

CREATE TABLESPACE ICMLFQ32 PAGESIZE 32 K MANAGED BY AUTOMATIC STORAGE BUFFERPOOL ICMLSMAINBP32

Much simpler, but you will need to change these tablespace definitions by hand.

5. After fixing up the tablespace paths, try executing:

db2 -tvf database.sql

I had a problem on my system, doing a Windows -> Linux restore. The database.sql had Windows line endings in it, and so when running it on Linux the command just hung. Running dos2unix database.sql fixed it. (This problem was the actual point of this post, but it seemed hard to explain by itself, so…. here we are).

6. Now you should have a skeleton database on the destination, with all the tables there just ready to receive data. To copy the actual data, we’ll be using db2move.
On the source machine, create a new folder and change into it, and then run:

db2move export

7. This should fill the folder up with .ixf and .msg files . Copy the entire folder to your destination machine.

8. On the destination machine change to the export folder you just copied over and run:

db2move load

9. db2load temporarily suspends the referential integrity constraints of DB2. This is done so it doesn’t matter which order you load tables in. But since you have suspended these checks while the data is being loaded in you will need to go and make db2 check each table, to make sure that any referential integrity constraints in the database are valid. If you don’t, you get back a message like this when accessing any tables that you have loaded:

SQL0668N Operation not allowed for reason code "1" on table "".

This means – “You need to check this table, to make sure it is valid” .

To do this, you can query the system catalog table to get back a list of all the tables that need checking, and with a little awk, generate a script to run against the database. There’s probably a prettier way to do this, but it works.

db2 connect to
db2 -x select "tabschema,tabname from syscat.tables where status = 'C'" | awk '{print "SET INTEGRITY FOR "$1"."$2 " IMMEDIATE CHECKED;"}' > check.sql
db2 -tvf check.sql

Now you’re done. If you run a simple select statement against one of the tables you have loaded into the database, DB2 should return with the data. It’s worth noting that this method will work if changing versions of DB2, and will also cover moving from 32 bit versions of DB2 to 64 bit.

DB2 9.5 install hangs on Linux during db2icrt

Graham — Tue, 22 Jun 2010 02:07:16 +0000

Yesterday I spent a bunch of time cleaning up our collection of kickstart files. It’s a grind, I must’ve rerun the Redhat installer 40 times in the last 24 hours. The nice thing is that we now have the same base linux install for all the different versions of Redhat and Fedora that we are using.

All this change has thrown up some new problems however. For each of the installs I was doing, the system would hang when trying to install DB2.

When there is a problem with the db2 install, the first place to go is the /tmp/db2setup.log. Inside that it seemed to be hanging on the instance creation step.

Command to be run: "cd /opt/ibm/db2/V9.5/;/opt/ibm/db2/V9.5/instance/db2icrt -a server -s wse -u db2fenc1 -p db2c_db2inst1 db2inst1".

Looking through the output of ps -ef | grep db2, I saw a suspicious process called UpdateAutoRun.sh.

I couldn’t find a DB2 specific technote for this error, but a bit of searching brought up this one from Tivoli Monitoring (ITM). Apparently DB2 installs an instance of ITM along with DB2 – I’m not sure what it is for. Anyway, there seems to be a dodgy script inside the ITM that relies on the venerable text editor ‘ed’. Without ed installed the log file /itma/logs/UpdateAutoRun.log keeps filling up with the line:

UpdateAutoRun.sh info: Delete of agent start all record successful.

Installing ed in (even while db2setup is running!) allows this script to finish and the rest of the install to complete successfully.

DB2 and ConfigEngine : Security mechanism not supported

Graham — Sun, 28 Jun 2009 04:19:58 +0000

I try to post really random solutions here, and this one’s a doozy ! I was updating a production machine from Portal 6.1.0 to 6.1.0.2. I always run the ConfigEngine tasks validate-standalone-ldap and validate-database-connection before I run any Portal update to make sure that the update won’t fail from something silly like a missing password. I’d highly recommend this practice on your Portal systems.
This time when running validate-database-connection, I ran into this error:

action-validate-database:
[echo] domain 'jcr'
[echo] DbtDbDriver 'com.ibm.db2.jcc.DB2Driver'
[echo] DbtDbLibrary '/home/db2inst1/sqllib/java/db2jcc.jar:/home/db2inst1/sqllib/java/db2jcc_license_cu.jar'
[echo] DbtDbUser 'db2inst1'
[echo] DbtDbUrl 'jdbc:db2://localhost:50000/WPS6TCP'
[echo] DbtDbName 'WPS6TCP'
[java] [06/28/09 13:47:09.620 EST] Attempting to make connection using: jdbc:db2://localhost:50000/WPS6TCP :: db2inst1 :: PASSWORD_REMOVED
[java] [06/28/09 13:47:09.875 EST] ERROR: Error obtaining connecting for jdbc:db2://localhost:50000/WPS6TCP
[java] com.ibm.db2.jcc.b.SqlException: [ibm][db2][jcc][t4][201][11237] Connection authorization failure occurred. Reason: Security mechanism not supported.
[java] at com.ibm.db2.jcc.a.b.m(b.java:1981)
[java] at com.ibm.db2.jcc.a.b.a(b.java:1565)
[java] at com.ibm.db2.jcc.a.bb.b(bb.java:3386)
[java] at com.ibm.db2.jcc.a.bb.a(bb.java:332)
[java] at com.ibm.db2.jcc.a.bb.a(bb.java:112)
[java] at com.ibm.db2.jcc.a.b.j(b.java:1259)
[java] at com.ibm.db2.jcc.a.b.b(b.java:1132)
[java] at com.ibm.db2.jcc.a.b.b(b.java:715)
[java] at com.ibm.db2.jcc.a.b.a(b.java:701)
[java] at com.ibm.db2.jcc.a.b.a(b.java:378)
[java] at com.ibm.db2.jcc.a.b.(b.java:316)
[java] at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:166)
[java] at java.sql.DriverManager.getConnection(DriverManager.java:572)
[java] at java.sql.DriverManager.getConnection(DriverManager.java:165)
[java] at com.ibm.wps.config.db.Database.init(Database.java:139)
[java] at com.ibm.wps.config.db.validation.ValidationDriver.main(ValidationDriver.java:209)

It looked like the problem I’d seen on Ubuntu, where the database password was hashed with an unsupported scheme, but it couldn’t be, because this was on a plain old RHEL system. The difference was that I’d recently changed DB2′s database manager settings from AUTHENTICATION = SERVER to AUTHENTICATION = DATA_ENCRYPT . DATA_ENCRYPT is good because it will send your sql data and your authentication details encrypted across the wire.

Anyway, to make the validation work on a system where you have enabled the DATA_ENCRYPT parameter, just add securityMechanism=13; to the end of the database url. So mine becomes:

jcr.DbUrl=jdbc:db2://localhost:50000/WP6TCP:securityMechanism=13;

So how would the system work in any case, if the database url was wrong?!? The answer is clear after delving into the WebSphere admin console a little bit. I’d configured the custom properties of each Portal datasource post database transfer to work with DATA_ENCRYPT, but not the database urls in wkplc_comp.properties. Here’s where you would set it.

It is important to emphasize that the wkplc*.properties file in ConfigEngine are templates only, and don’t affect the running of the system, until you run a ConfigEngine task against them. Only then do their values get copied to the actual Portal server.

ERRORCODE=-4214, SQLSTATE=28000 from DB2 on Ubuntu

Graham — Mon, 04 May 2009 06:36:46 +0000

Updated 28th October, 2010
Newer versions of DB2 address this problem. Read about it here.

Two posts in one day, wow. It’s all part of our special series: how to install and configure WebSphere Portal 6.1 on Ubuntu. This isn’t a Portal only issue, rather it’s a DB2+Ubuntu issue.

After getting Portal installed on this Ubuntu machine, you’re probably going to want to transfer the default Derby database to something more robust like DB2. So you edit wkplc_comp.properties and wkplc_dbtype.properties, and start to run:

./ConfigEngine.sh create-database

And you get this in the ConfigTrace.log

[sqlproc] action: execute-sql-scripts
[sqlproc] _________________________________________________________
[sqlproc] Database autocommit parameter true
[sqlproc] No delimiter has been specified, using [;] to separate the SQL statements.
[sqlproc] Reading file /opt/WebSphere/wp_profile/ConfigEngine/config/database/work/db2/createBufferpools.run
[sqlproc] Could not connect to database
[sqlproc] com.ibm.db2.jcc.b.ao: [jcc][t4][2010][11246][3.53.70] Connection authorization failure occurred. Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
BUILD FAILED

Hmm, ok, I thought db2 was working. A good habit when debugging these things is to take the piece that ConfigEngine is trying run and run it independently. So right now I want ConfigEngine to create an empty db2 database that I can run database-transfer against. Try this:

su - db2inst1
db2 create db WP610 using codeset UTF8 territory au pagesize 8192

And that comes back successfully. However, that command sequence is not an accurate representation of what ConfigEngine is actually doing. We’re running ConfigEngine as root. But the ConfigEngine script is using the “user db2inst1 using ” modifiers on the end of the database create command. So how about this?

db2 create db WP610 using codeset UTF8 territory au pagesize 8192 user db2inst1 using password
SQL30082N Security processing failed with reason "15" ("PROCESSING FAILURE").
SQLSTATE=08001

Ah ha, a failure. In the first example, DB2 already trusts the user that we’re logged is as (db2inst1), so it doesn’t need to go back to the operating system and authenticate it. In the second example, we are logged in as root, so db2 needs to go to the operating system and authenticate the user. Ubuntu uses the tried and true passwd + shadow file combo to store usernames and their associated passwords. The trouble is since Ubuntu 8.10, it uses the newer and more secure SHA512 hashing function to store the passwords, and DB2 doesn’t understand SHA512. So the workaround is to change the hashing function in use on the machine, reset the password and then we should be able to use the “user db2inst1 using ” type commands again.

Open /etc/pam.d/common-password in a text editor and change this line:

password [success=1 default=ignore] pam_unix.so obscure sha512

password [success=1 default=ignore] pam_unix.so obscure md5

Then run passwd db2inst1 and put the same or a new password. If you look at the shadow file , the hash will change from something like this:
SHA512

db2inst1:$6$IKe6x6Zq$bSajPzHNIy7jQrPXbI8CrPRlpDYUVm8.A2BhNCxes5cY6LWoh7hQr14XW4agBWbW1ywKkSSDSLFV.NXCr2/1z0:14368:0:99999:7:::

MD5

db2inst1:$1$FF0YDtZn$gemqCKt4Ml375mhiBXk2U/:14368:0:99999:7:::

(The unencrypted password here is ‘password’ – don’t get too excited!) .

Now try running ConfigEngine.sh create-database again. It should work. Make sure you change the system /etc/pam.d/common-password back to sha512, as you want the rest of your users to use this hashing function as it is more secure than md5sum . Hopefully DB2 should address this in a fixpack.