How to connect servicenow ITOM with DB2(db2luw) on AIX/linux?

JiyongJ
Tera Contributor

‎01-16-2025 10:50 PM

Hello.

 

Has anyone connected servicenow ITOM with db2luw on AIX/linux?

 

The content below is the 'IBM Db2 on Linux database discovery' section of servicenow ITOM, but I don't think I can do it according to that manual.
https://www.servicenow.com/docs/bundle/xanadu-it-operations-management/page/product/service-mapping/...

 

The first problem is that the servicenow ITOM account and the db2luw server instance account can be in the same group, which is a security issues.

 

The second problem is that execute the server instance db2profile causes security issues.

 

The third problem is that reading the db2diag.log file in the directory seems to cause problems when the value of the diagpath parameter is changed.

 

I'd like to know if db2luw has a way to access the DB and get the results like oracle 12c does, and if not, I'd like to see that changed.
https://www.servicenow.com/docs/bundle/vancouver-it-operations-management/page/product/service-mappi...

 

Can anyone tell me how I can connect Servicenow ITOM with db2luw in the way I want or forward my suggestion to the development team?

 

My client is in servicenow ITOM PoV, so I don't have access to make suggestions to the development team.

 

Thank you in advance.

Labels:
0 Helpfuls
  • 488 Views
1 REPLY 1

Jim Palmer
ServiceNow Employee
ServiceNow Employee

‎01-19-2025 02:57 PM

I'm not sure you can work around those limitations.
(note my memory around DB2 and it's locations/env vars is a bit hazy...)

 

Most DB2 discovery (on *nix based systems) relies on using the db2 command line to execute commands like 'db2 get dbm cfg' 'db2level' etc... and to execute those in the correct instance, you need to source the ./db2profile linked to the instance user home directory to source the equivalent environment variables into the discovery session.

 

Hence the requirement for the ITOM discovery user to be in the same group as the instance user - 

So discovery can execute something like $HOME/bin/db2profile in the instance $HOME dir with the permissions 750 so the instance group has r-x on the db2profile and other scripts - but can't change the scripts.

Note: I'm not considering the SYSADM, SYSCTL groups - which is probably part of your security concerns...

 

Even the IBM discovery tool has the same prerequisites/concerns:

  • DB2 must be installed in the instance owner's home directory.
  • The DB2 user credentials must belong to the DB2 administration group.

The only other option you could consider is switching the group on the db2 instance $HOME directory to a specific 'discovery group' or a lower SYSMON group, but i'm not sure how that would effect the functionality of the remaining commands in the DB2 binaries... probably more custom permissions like setting 755 on DB2 installation path /opt/ibm/db2/v11.xx which would be unpleasant.

0 Helpfuls