rds-db2

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Amazon RDS for Db2

Amazon RDS for Db2

Overview

概述

Amazon RDS for Db2 is a managed IBM Db2 LUW service. RDS for Db2 is managed — you cannot SSH to the host, install agents, or run unfenced external stored procedures in C/COBOL. Java stored procedures work via
sqlj.install_jar
. This skill covers the operator lifecycle: provisioning with IBM licensing, client install and TLS connectivity, migration from self-managed Db2 on Linux/AIX/Windows/z/OS/AS400, S3 backup and restore, Multi-AZ and cross-region standby replicas, and RDSADMIN stored procedures that replace SYSCTRL/SYSMAINT authority.
It also covers six additional security and operations areas: customer-managed KMS keys (BYOK), self-managed Active Directory with Kerberos authentication, Db2 audit to S3, code page and collation selection (EBCDIC, CCSID), minimum IAM permissions, and EC2/RDS colocation for Multi-AZ latency and failover.
The AWS MCP server is recommended but not required; all operations are expressed in AWS CLI syntax and run with or without it.
Routes to the matching sub-skill reference. Load only the matching reference.
Amazon RDS for Db2是一款托管式IBM Db2 LUW服务。RDS for Db2为托管服务——您无法通过SSH连接到主机、安装代理,或运行C/COBOL编写的非fenced外部存储过程。Java存储过程可通过
sqlj.install_jar
正常运行。本技能涵盖完整的运维生命周期:使用IBM许可进行实例配置、客户端安装与TLS连接、从Linux/AIX/Windows/z/OS/AS400上的自托管Db2迁移、S3备份与恢复、Multi-AZ与跨区域备用副本,以及替代SYSCTRL/SYSMAINT权限的RDSADMIN存储过程。
同时,本技能还覆盖六大安全与运维领域:客户托管KMS密钥(BYOK)、支持Kerberos认证的自托管Active Directory、Db2审计日志导出至S3、代码页与排序规则选择(EBCDIC、CCSID)、最小化IAM权限配置,以及为优化Multi-AZ延迟与故障转移的EC2/RDS共置部署。
推荐使用AWS MCP服务器,但并非强制要求;所有操作均以AWS CLI语法呈现,无论是否安装MCP服务器均可运行。
根据匹配的子技能路由至对应参考文档,仅加载匹配的参考内容。

Common Tasks

常见任务

Verify Dependencies

验证依赖项

Before executing an RDS for Db2 workflow, confirm required tools exist. Do not run installers or API calls yet.
  • AWS CLI v2 for every RDS API call
  • AWS credentials via managed mechanism (IAM role, instance profile,
    ada credentials update
    ) — not pasted credentials
  • Client install:
    bash
    /
    curl
    access, run as root and as
    db2inst1
  • Airgap install: internet-connected machine + target with VPC endpoints for S3, SSM, Secrets Manager
  • Mainframe migration: z/OS access, IBM ADB2GEN license, Python 3
  • BYOK / customer-managed KMS:
    openssl
    (to wrap imported key material) and
    jq
    (to parse
    get-parameters-for-import
    output)
  • Self-managed Active Directory + Kerberos:
    realmd
    ,
    sssd
    ,
    adcli
    ,
    krb5-workstation
    on the client, plus a valid Kerberos ticket (
    kinit
    produces a TGT — check with
    klist
    )
  • Kerberos JDBC test: a JDK and the Db2 JDBC driver
    db2jcc4.jar
    v4.33+ (earlier driver versions lack
    securityMechanism=11
    Kerberos support)
Constraints:
  • The agent MUST check dependencies before running any install or AWS API command.
  • The agent MUST NOT prompt the user to paste credentials because credentials MUST flow through an IAM role or instance profile.
  • The agent MUST tell the user which dependencies are missing and MUST respect the user's decision to abort.
  • The agent MUST explain, for each step, what it does, why, and which tool will be invoked — before invoking it.
执行RDS for Db2工作流前,需确认所需工具已就绪。请勿立即运行安装程序或API调用。
  • 所有RDS API调用均需AWS CLI v2
  • 通过托管机制(IAM角色、实例配置文件、
    ada credentials update
    )获取AWS凭证——禁止使用粘贴的凭证
  • 客户端安装:需具备
    bash
    /
    curl
    访问权限,以root和
    db2inst1
    身份运行
  • 离线安装:需一台联网机器,且目标环境具备S3、SSM、Secrets Manager的VPC端点
  • 大型机迁移:需z/OS访问权限、IBM ADB2GEN许可、Python 3
  • BYOK/客户托管KMS:需
    openssl
    (用于包装导入的密钥材料)和
    jq
    (用于解析
    get-parameters-for-import
    输出)
  • 自托管Active Directory + Kerberos:客户端需安装
    realmd
    sssd
    adcli
    krb5-workstation
    ,且需持有有效的Kerberos票据(运行
    kinit
    生成TGT,通过
    klist
    检查)
  • Kerberos JDBC测试:需JDK及v4.33+版本的Db2 JDBC驱动
    db2jcc4.jar
    (早期驱动版本不支持
    securityMechanism=11
    的Kerberos认证)
约束条件:
  • 代理必须在运行任何安装或AWS API命令前检查依赖项。
  • 代理不得提示用户粘贴凭证,因为凭证必须通过IAM角色或实例配置文件传递。
  • 代理必须告知用户缺少哪些依赖项,且必须尊重用户终止操作的决定。
  • 代理必须在执行每一步操作前,解释该操作的内容、原因及将调用的工具。

Classify and Route

分类与路由

Map the user's question to the correct sub-skill reference, then load only that file.
User saysSub-skillLoad
create / provision / parameter group / IBM customer ID / IBM site ID / License Manager / BYOL / GovCloudprovisioningprovisioning.md
connect / SQL30082N / SQL1531N / DSN / CLP / Python / Java / CloudShell / airgapconnectivityconnectivity.md
SSL / TLS / GSKit / certificate / truststore / bundle.pemconnectivity-tlsconnectivity-tls.md
Python driver / JDBC / laptop / multi-instance / db2_useconnection driversconnection-drivers.md
migrate / DMS / Q Replication / IIDR / AIX / Windows / AS400 / precheckmigrationmigration.md
z/OS / mainframe / ADB2GEN / schema conversionmainframe-migrationmainframe-migration.md
code page / collation / CCSID / EBCDIC / UTF-8 / CODEUNITS32 / territorycode page & collationcode-page-collation.md
snapshot / backup / restore / rollforward / PiTR / S3 integrationbackup-restorebackup-restore.md
Multi-AZ / standby replica / read replica / HADR / cross-region / failoverha-drha-dr.md
parameter group / RDSADMIN / scale / storage / CloudWatch / registry variableoperationsoperations.md
BYOK / customer-managed KMS / bring your own key / imported key material / multi-region keybyokbyok-kms.md
Active Directory / Kerberos / domain join / self-managed AD / kinit / SPN / realmad-kerberosad-kerberos.md
audit / DB2_AUDIT / audit policy / audit to S3 / option groupdb2-auditdb2-audit.md
minimum IAM / least privilege / IAM policy / trust policy / permissionsminimum-iamminimum-iam.md
colocation / co-locate / EC2 app latency / ASG / ALB / failover routingcolocationcolocation.md
Constraints:
  • The agent MUST read only the reference files that match the user's question, to keep the context focused.
  • The agent MUST NOT invent RDSADMIN procedure signatures, because wrong parameter order will fail at runtime — always cite the signature from the reference file.
  • The agent MUST cite the source blog URL when an answer is blog-sourced, so the user can verify specifics.
  • If a question crosses two sub-skills (e.g. "migrate z/OS with near-zero downtime", or "BYOK plus cross-region standby"), the agent SHOULD load each matching reference and combine them.
将用户的问题映射至正确的子技能参考文档,仅加载该文档。
用户提问关键词子技能加载文档
create / provision / parameter group / IBM customer ID / IBM site ID / License Manager / BYOL / GovCloud实例配置provisioning.md
connect / SQL30082N / SQL1531N / DSN / CLP / Python / Java / CloudShell / airgap连接配置connectivity.md
SSL / TLS / GSKit / certificate / truststore / bundle.pemTLS连接connectivity-tls.md
Python driver / JDBC / laptop / multi-instance / db2_use连接驱动connection-drivers.md
migrate / DMS / Q Replication / IIDR / AIX / Windows / AS400 / precheck数据库迁移migration.md
z/OS / mainframe / ADB2GEN / schema conversion大型机迁移mainframe-migration.md
code page / collation / CCSID / EBCDIC / UTF-8 / CODEUNITS32 / territory代码页与排序规则code-page-collation.md
snapshot / backup / restore / rollforward / PiTR / S3 integration备份与恢复backup-restore.md
Multi-AZ / standby replica / read replica / HADR / cross-region / failover高可用与灾难恢复ha-dr.md
parameter group / RDSADMIN / scale / storage / CloudWatch / registry variable运维管理operations.md
BYOK / customer-managed KMS / bring your own key / imported key material / multi-region key客户托管密钥byok-kms.md
Active Directory / Kerberos / domain join / self-managed AD / kinit / SPN / realmAD与Kerberos认证ad-kerberos.md
audit / DB2_AUDIT / audit policy / audit to S3 / option groupDb2审计配置db2-audit.md
minimum IAM / least privilege / IAM policy / trust policy / permissions最小化IAM权限minimum-iam.md
colocation / co-locate / EC2 app latency / ASG / ALB / failover routing资源共置部署colocation.md
约束条件:
  • 代理必须仅读取与用户问题匹配的参考文档,以保持上下文聚焦。
  • 代理不得自行编造RDSADMIN存储过程的签名,因为错误的参数顺序会导致运行失败——必须始终引用参考文档中的签名。
  • 当答案来源于博客时,代理必须标注源博客URL,以便用户验证细节。
  • 如果问题涉及两个子技能(例如“零停机迁移z/OS”或“BYOK+跨区域备用副本”),代理应加载所有匹配的参考文档并整合内容。

Execute Workflow

执行工作流

Once routed, give the user a concrete, runnable answer grounded in the reference file.
Parameter acquisition:
  • All required parameters (region, instance identifier, source/target ARNs, S3 bucket, prefix, the
    --master-username
    value) MUST be collected upfront in a single message.
  • Parameter formats MUST be specified: region
    us-east-1
    -style; instance identifier
    ^[a-zA-Z][a-zA-Z0-9-]{0,62}$
    ; ARN
    arn:aws:rds:<region>:<account>:db:<name>
    ; S3 bucket 3–63 chars lowercase.
  • The agent MUST accept parameters via direct input, a JSON/YAML file path, or a URL.
Tool use:
  • Use AWS CLI for RDS operations (example:
    aws rds create-db-instance-read-replica --db-instance-identifier <name> --source-db-instance-identifier <arn> --replica-mode mounted --region <dr-region>
    ). Every operation is expressed in AWS CLI syntax so it runs whether or not the AWS MCP server is installed.
  • Use bundled scripts — db2-driver.sh, db2client-configure.sh, db2client-airgap.sh, functions.sh — instead of rewriting install steps.
  • Write migration plans, upgrade plans, validation reports to a local
    artifacts/<app-name>/
    directory created at runtime in the working directory (this is a run-time output location, not part of the shipped skill).
Constraints:
  • The agent MUST give exact CLI commands when behavior is deterministic, not descriptions like "enable Multi-AZ".
  • The agent MUST obtain AWS credentials through an IAM role or instance profile and MUST NOT prompt the user to paste credentials.
  • The agent MUST cite the source blog or documentation URL whenever the answer is sourced from published material, so the user can verify it.
  • The agent MUST write long-form artifacts to a local
    artifacts/<app-name>/
    directory (created at runtime in the working directory) so the workspace is inspectable.
  • When a requested action is unsupported on managed RDS for Db2, the agent MUST state the limitation plainly — no hedging like "limited support" or "with special config" — and offer a supported alternative (for example, unfenced C/COBOL stored procedures are not supported; rewrite them in Java via
    sqlj.install_jar
    , or in SQL PL).
  • The AWS MCP server is recommended but not required. When the MCP server is in use, prefer inline JSON strings over positional filesystem arguments with
    call_aws
    ; this is guidance for the MCP path only, not a requirement. Never treat
    call_aws
    or
    run_script
    as the only way to perform an operation — the AWS CLI command always works on its own.
完成路由后,为用户提供基于参考文档的具体可运行解决方案。
参数获取:
  • 所有必填参数(区域、实例标识符、源/目标ARN、S3存储桶、前缀、
    --master-username
    值)必须在一条消息中一次性收集。
  • 必须明确参数格式:区域为
    us-east-1
    格式;实例标识符需符合
    ^[a-zA-Z][a-zA-Z0-9-]{0,62}$
    ;ARN为
    arn:aws:rds:<region>:<account>:db:<name>
    格式;S3存储桶为3-63个小写字符。
  • 代理必须接受通过直接输入、JSON/YAML文件路径或URL提供的参数。
工具使用:
  • 使用AWS CLI执行RDS操作(示例:
    aws rds create-db-instance-read-replica --db-instance-identifier <name> --source-db-instance-identifier <arn> --replica-mode mounted --region <dr-region>
    )。所有操作均以AWS CLI语法呈现,无论是否安装AWS MCP服务器均可运行。
  • 使用捆绑脚本——db2-driver.shdb2client-configure.shdb2client-airgap.shfunctions.sh——而非重写安装步骤。
  • 将迁移计划、升级计划、验证报告写入运行时在工作目录创建的本地
    artifacts/<app-name>/
    目录(此为运行时输出位置,不属于技能交付内容)。
约束条件:
  • 当行为确定时,代理必须提供精确的CLI命令,而非“启用Multi-AZ”这类描述性语句。
  • 代理必须通过IAM角色或实例配置文件获取AWS凭证,不得提示用户粘贴凭证。
  • 当答案来源于已发布的材料时,代理必须标注源博客或文档URL,以便用户验证。
  • 代理必须将长篇工件写入本地
    artifacts/<app-name>/
    目录(运行时在工作目录创建),以便检查工作区。
  • 当请求的操作在托管式RDS for Db2上不被支持时,代理必须明确说明限制——不得使用“有限支持”或“需特殊配置”这类含糊表述——并提供支持的替代方案(例如,非fenced C/COBOL存储过程不被支持;可通过
    sqlj.install_jar
    重写为Java存储过程,或使用SQL PL)。
  • 推荐使用AWS MCP服务器,但并非强制要求。使用MCP服务器时,优先使用内联JSON字符串而非
    call_aws
    的位置文件系统参数;此仅为MCP路径的指导原则,非强制要求。切勿将
    call_aws
    run_script
    视为执行操作的唯一方式——AWS CLI命令可独立运行。

Resource tagging (always apply on resource creation)

资源标签(创建资源时始终添加)

When creating any RDS for Db2 resource (
create-db-instance
,
create-db-parameter-group
,
create-db-cluster
for Multi-AZ deployments,
create-db-instance-read-replica
for standby replicas), ALWAYS include these tags using the RDS list-of-records
--tags
syntax:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value={your-model-id}
Example:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value=claude-sonnet-4-20250514
The same convention applies to every resource this skill creates, including BYOK-encrypted instances (
create-db-instance --storage-encrypted --kms-key-id ...
), audit option groups (
create-option-group
), and customer-managed KMS keys (
kms create-key
, tagged with
--tags TagKey=created_by,TagValue=rds-db2-skill TagKey=generation_model,TagValue={your-model-id}
per the KMS tag syntax).
Include these tags even if the user does not mention tagging, so that they can identify the resources created via this skill. If the user provides additional tags, append these to their tags rather than replacing them. The same applies when tagging via
add-tags-to-resource
on existing resources.
创建任何RDS for Db2资源(
create-db-instance
create-db-parameter-group
、Multi-AZ部署的
create-db-cluster
、备用副本的
create-db-instance-read-replica
)时,必须使用RDS的记录列表
--tags
语法添加以下标签:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value={your-model-id}
示例:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value=claude-sonnet-4-20250514
此约定适用于本技能创建的所有资源,包括BYOK加密实例(
create-db-instance --storage-encrypted --kms-key-id ...
)、审计选项组(
create-option-group
)以及客户托管KMS密钥(
kms create-key
,根据KMS标签语法添加
--tags TagKey=created_by,TagValue=rds-db2-skill TagKey=generation_model,TagValue={your-model-id}
)。
即使用户未提及标签,也必须添加这些标签,以便用户识别通过本技能创建的资源。如果用户提供额外标签,需将这些标签追加到用户提供的标签之后,而非替换。对现有资源通过
add-tags-to-resource
添加标签时同样适用此规则。

RDS-managed facts the agent must always surface

代理必须始终告知的RDS托管特性

These RDS-for-Db2-specific facts are what differentiates this skill from general IBM Db2 knowledge. General-Db2 answers typically omit the RDS-managed constraints (no unfenced C/COBOL, Secrets Manager rotation side effects,
rdsadmin.*
procedures) and the AWS-native migration tooling nuances (DMS z/OS limits, ADB2GEN vs SCT).
For "create cross-region standby replica for DR", you MUST tell the user ALL of the following six facts:
  1. Use
    aws rds create-db-instance-read-replica
    with
    --replica-mode mounted
    and the cross-region source ARN — Db2 cross-region standby uses mounted replica mode, NOT transactional read-replica mode.
  2. Source prerequisite: automated backups enabled on the source instance (backup retention period > 0).
  3. Target-region prerequisite: custom parameter group created in the target region before the command runs.
  4. Target-region prerequisite: KMS key available in the target region (multi-region KMS key or a target-region customer-managed KMS key).
  5. State prerequisites: all databases in
    active
    state, no pending reboots
    , no license-model restrictions blocking cross-region replicas.
  6. Explain the mounted-vs-transactional distinction — mounted replicas do not accept reads or SQL from applications; they exist purely as a DR standby that can be promoted. Do not suggest read offload use cases.
For "restore Db2 backup from S3 (multi-part, N files)", you MUST tell the user ALL of the following six facts — never omit any of the procedure names:
  1. Attach IAM role with S3 access via
    aws rds add-role-to-db-instance
    using
    --feature-name S3_INTEGRATION
    .
  2. Set restore performance parameters via
    rdsadmin.set_configuration
    — tune
    USE_STREAMING_RESTORE
    ,
    RESTORE_DATABASE_NUM_BUFFERS
    , and
    PARALLELISM
    before starting the restore.
  3. Call
    rdsadmin.restore_database
    with five parameters in this exact order: database name, restore mode (
    OFFLINE
    or
    ONLINE
    ), S3 prefix, S3 bucket, and region. Multi-file (multi-part) backups are handled by the shared prefix — there is no separate multi-part flag parameter. (Signature:
    rdsadmin.restore_database(dbname, type, prefix, bucket, region)
    .)
  4. For
    ONLINE
    restore mode, follow up with
    rdsadmin.rollforward_database
    to replay archive logs, then
    rdsadmin.complete_rollforward
    to finish.
    OFFLINE
    restores do NOT need rollforward.
  5. Monitor progress with
    rdsadmin.get_task_status
    — every
    rdsadmin
    procedure returns a task ID you poll.
  6. Warn about VPC endpoint for S3 if no internet egress from the private subnet, and warn about Db2 version compatibility between the source backup and the RDS instance engine version (forward-compatible, not backward).
For "C/COBOL unfenced external stored procedures — lift and shift to RDS for Db2?", you MUST tell the user ALL of the following four facts:
  1. Unfenced external stored procedures in C and COBOL are NOT supported on RDS for Db2. State this as an unqualified "not supported" — do not hedge with "limited support" or "with special config."
  2. All routines on RDS for Db2 MUST be fenced. This is a managed-service architectural constraint, not a flag.
  3. Java stored procedures are supported — install via
    sqlj.install_jar
    . C/COBOL SPs should be rewritten in Java or SQL PL (Db2's procedural SQL, equivalent to Oracle's PL/SQL).
  4. Offer to help identify which SPs are unfenced and prioritize the rewrite by call frequency (hot code path first).
For "migrate Db2 for z/OS to RDS for Db2 with near-zero downtime", you MUST tell the user ALL of the following five facts:
  1. For near-zero-downtime from z/OS, use Q Replication (IBM IIDR), Qlik Replicate, or Precisely — these are the CDC tools that support Db2 for z/OS as a source streaming to RDS for Db2.
  2. AWS DMS supports FULL LOAD ONLY from Db2 for z/OS. DMS does NOT support CDC from z/OS sources. Use DMS for a one-time bulk load, not for near-zero-downtime cutover.
  3. Use ADB2GEN for schema conversion from z/OS. AWS SCT does NOT support Db2 for z/OS as a source — this is a common trap. Do not recommend SCT for z/OS sources.
  4. Code-page conversion (EBCDIC → UTF-8) is the primary migration risk. Plan explicit collation and code page mapping before cutover — silent data corruption is the failure mode.
  5. Plan explicit collation selection on the target RDS instance to match the semantic ordering of the z/OS source.
For "SQL30082N — USERNAME AND/OR PASSWORD INVALID" with RDS-managed master user (user didn't change it), you MUST tell the user ALL of the following four facts:
  1. SQL30082N after a previously-working connection almost always means the master password rotated in Secrets Manager. RDS for Db2 rotates the master password on the Secrets Manager schedule — clients using a cached password will start failing with SQL30082N even though nothing on their side changed.
  2. Fix: run
    db2_use <instance-id>
    (from
    functions.sh
    / the bundled helpers). This fetches the current password from Secrets Manager and rewrites
    ~/.db2env
    with the new value.
  3. Alternative:
    db2_test_connection
    to verify the helper's fix worked end-to-end.
  4. If
    db2_use
    isn't installed
    , the user needs to pull the current password with
    aws secretsmanager get-secret-value
    and update their local credential cache manually. Do not tell them to rotate the password — the password rotation is what caused the problem.
For "BYOK / customer-managed KMS key for RDS for Db2", you MUST tell the user ALL of the following six facts:
  1. Use a multi-region KMS key with
    --origin EXTERNAL
    when importing your own key material, so the same key ID and material can replicate to a DR region.
  2. The creating principal needs
    kms:CreateGrant
    and
    kms:DescribeKey
    on the key, or instance creation fails.
  3. Encryption is set at instance creation with
    --storage-encrypted --kms-key-id <alias|arn>
    . You cannot encrypt an existing unencrypted instance in place — go snapshot →
    copy-db-snapshot --kms-key-id
    restore-db-instance-from-db-snapshot
    .
  4. For cross-region DR, replicate the multi-region key (
    kms:ReplicateKey
    )
    into the DR region first, then
    copy-db-snapshot
    across regions with the replica key.
  5. Import tokens expire after 24 hours — if
    import-key-material
    fails on expiry, re-run
    get-parameters-for-import
    to get a fresh token and wrapping key.
  6. Cite blog DBBLOG-5188 and byok-kms.md; do not invent KMS parameter names.
For "self-managed Active Directory with Kerberos on RDS for Db2", you MUST tell the user ALL of the following six facts:
  1. RDS joins your AD via
    --domain-fqdn
    ,
    --domain-ou
    ,
    --domain-auth-secret-arn
    , and
    --domain-dns-ips
    — the self-managed AD path, with no AWS Managed Microsoft AD required.
  2. The Secrets Manager secret uses keys
    SELF_MANAGED_ACTIVE_DIRECTORY_USERNAME
    (the sAMAccountName only — no
    DOMAIN\
    prefix
    , which fails creation) and
    SELF_MANAGED_ACTIVE_DIRECTORY_PASSWORD
    , encrypted by a dedicated KMS key, with a resource policy trusting
    rds.amazonaws.com
    guarded by
    aws:SourceArn
    and
    aws:SourceAccount
    (confused-deputy protection).
  3. Delegate the nine AD permissions to a dedicated service account scoped to one OU; grant
    servicePrincipalName
    read/write on User objects using ADSI Edit, not the ADUC delegation wizard (which filters that attribute out) — this is the most common failure.
  4. Open AD ports between RDS and the domain controllers: DNS 53, Kerberos 88 and 464, LDAP 389 and 3268, and the RPC range 49152–65535. Missing the RPC range is the top cause of intermittent join failures. Keep clock skew under 5 minutes.
  5. The RDS master user is a local account that cannot get a Kerberos ticket. AD users need
    kinit
    plus a
    GRANT CONNECT
    . Kerberos JDBC uses
    securityMechanism=11
    and a region-specific PEM via
    sslCertLocation
    (never
    global-bundle.pem
    ).
  6. Cite the self-managed AD blog and ad-kerberos.md; verify with
    describe-db-instances ... DomainMemberships
    showing
    Status: joined
    .
这些RDS for Db2专属特性是本技能区别于通用IBM Db2知识的核心。通用Db2答案通常会忽略RDS托管约束(不支持非fenced C/COBOL、Secrets Manager轮换副作用、
rdsadmin.*
存储过程)以及AWS原生迁移工具的细节(DMS z/OS限制、ADB2GEN与SCT的差异)。
对于“为灾难恢复创建跨区域备用副本”,必须告知用户以下全部六个事实:
  1. 使用
    aws rds create-db-instance-read-replica
    并指定
    --replica-mode mounted
    和跨区域源ARN——Db2跨区域备用副本使用
    挂载副本模式
    ,而非事务性只读副本模式。
  2. 源实例前提条件:启用自动备份(备份保留期>0)。
  3. 目标区域前提条件:提前在目标区域创建自定义参数组
  4. 目标区域前提条件:目标区域需有可用的KMS密钥(多区域KMS密钥或目标区域的客户托管KMS密钥)。
  5. 状态前提条件:所有数据库处于
    active
    状态,无待处理重启
    ,无许可证模型限制阻止跨区域副本创建。
  6. 解释挂载模式与事务模式的区别——挂载副本不接受应用的读取或SQL请求;其仅作为灾难恢复备用副本,可被提升为主实例。请勿建议将其用于读取分流场景。
对于“从S3恢复Db2备份(多部分、N个文件)”,必须告知用户以下全部六个事实——不得省略任何存储过程名称:
  1. 通过
    aws rds add-role-to-db-instance
    附加具备S3访问权限的IAM角色
    ,并指定
    --feature-name S3_INTEGRATION
  2. 通过
    rdsadmin.set_configuration
    设置恢复性能参数
    ——在开始恢复前调整
    USE_STREAMING_RESTORE
    RESTORE_DATABASE_NUM_BUFFERS
    PARALLELISM
  3. 调用
    rdsadmin.restore_database
    ,并按以下精确顺序传入五个参数:数据库名称、恢复模式(
    OFFLINE
    ONLINE
    )、S3前缀、S3存储桶、区域。多文件(多部分)备份通过共享前缀处理——无单独的多部分标志参数。(签名:
    rdsadmin.restore_database(dbname, type, prefix, bucket, region)
    。)
  4. **对于
    ONLINE
    恢复模式,后续需调用
    rdsadmin.rollforward_database
    **重放归档日志,然后调用
    rdsadmin.complete_rollforward
    完成恢复。
    OFFLINE
    恢复无需执行前滚操作。
  5. 通过
    rdsadmin.get_task_status
    监控进度
    ——每个
    rdsadmin
    存储过程都会返回一个任务ID,需轮询该ID获取状态。
  6. 警告:如果私有子网无互联网出口,需配置S3的VPC端点,同时警告源备份与RDS实例引擎版本的Db2兼容性(仅向前兼容,不向后兼容)。
对于“将C/COBOL非fenced外部存储过程迁移至RDS for Db2?”,必须告知用户以下全部四个事实:
  1. RDS for Db2不支持C和COBOL编写的非fenced外部存储过程。需明确说明“不支持”——不得使用“有限支持”或“需特殊配置”这类含糊表述。
  2. RDS for Db2上的所有例程必须为fenced。这是托管服务的架构约束,而非可配置的标志。
  3. 支持Java存储过程——通过
    sqlj.install_jar
    安装。C/COBOL存储过程应重写为Java或SQL PL(Db2的过程化SQL,等效于Oracle的PL/SQL)。
  4. 可协助识别哪些存储过程为非fenced,并按调用频率优先重写(优先处理热点代码路径)。
对于“近乎零停机将Db2 for z/OS迁移至RDS for Db2”,必须告知用户以下全部五个事实:
  1. 从z/OS进行近乎零停机迁移,需使用Q Replication(IBM IIDR)、Qlik Replicate或Precisely——这些CDC工具支持将Db2 for z/OS作为源,流式传输至RDS for Db2。
  2. AWS DMS仅支持从Db2 for z/OS进行全量加载。DMS不支持从z/OS源进行CDC。DMS适用于一次性批量加载,不适用于近乎零停机切换。
  3. 使用ADB2GEN进行z/OS到目标的 schema 转换。AWS SCT不支持Db2 for z/OS作为源——这是常见陷阱。请勿为z/OS源推荐SCT。
  4. 代码页转换(EBCDIC → UTF-8)是主要迁移风险。切换前需规划明确的排序规则和代码页映射——静默数据损坏是主要失败模式。
  5. 在目标RDS实例上规划明确的排序规则选择,以匹配z/OS源的语义排序。
对于“SQL30082N — USERNAME AND/OR PASSWORD INVALID”(用户未修改过RDS托管的主用户密码),必须告知用户以下全部四个事实:
  1. 之前正常的连接突然出现SQL30082N错误,几乎总是因为Secrets Manager中的主密码已轮换。RDS for Db2会按照Secrets Manager的计划轮换主密码——使用缓存密码的客户端会开始出现SQL30082N错误,即使客户端本身未做任何更改。
  2. 修复方法:运行
    db2_use <instance-id>
    (来自
    functions.sh
    /捆绑工具)。此工具会从Secrets Manager获取当前密码,并更新
    ~/.db2env
    中的值。
  3. **替代方法:运行
    db2_test_connection
    **验证工具修复是否生效。
  4. 如果未安装
    db2_use
    ,用户需通过
    aws secretsmanager get-secret-value
    获取当前密码,并手动更新本地凭证缓存。请勿告知用户轮换密码——密码轮换正是问题的起因。
对于“RDS for Db2的BYOK/客户托管KMS密钥”,必须告知用户以下全部六个事实:
  1. 导入自有密钥材料时,使用
    --origin EXTERNAL
    的多区域KMS密钥
    ,以便同一密钥ID和材料可复制到灾难恢复区域。
  2. 创建主体需要密钥的
    kms:CreateGrant
    kms:DescribeKey
    权限
    ,否则实例创建会失败。
  3. 加密在实例创建时设置,需指定
    --storage-encrypted --kms-key-id <alias|arn>
    。您无法对现有未加密实例进行原地加密——需执行快照→
    copy-db-snapshot --kms-key-id
    restore-db-instance-from-db-snapshot
    流程。
  4. 对于跨区域灾难恢复,需先将多区域密钥复制到灾难恢复区域(
    kms:ReplicateKey
    ,然后使用副本密钥跨区域复制数据库快照。
  5. 导入令牌24小时后过期——如果
    import-key-material
    因令牌过期失败,需重新运行
    get-parameters-for-import
    获取新令牌和包装密钥。
  6. 引用博客DBBLOG-5188和byok-kms.md;不得自行编造KMS参数名称。
对于“RDS for Db2的自托管Active Directory与Kerberos认证”,必须告知用户以下全部六个事实:
  1. RDS通过
    --domain-fqdn
    --domain-ou
    --domain-auth-secret-arn
    --domain-dns-ips
    加入您的AD
    ——此为自托管AD路径,无需AWS托管Microsoft AD。
  2. Secrets Manager密钥使用
    SELF_MANAGED_ACTIVE_DIRECTORY_USERNAME
    (仅sAMAccountName——不得包含
    DOMAIN\
    前缀
    ,否则创建会失败)
    SELF_MANAGED_ACTIVE_DIRECTORY_PASSWORD
    作为密钥
    ,由专用KMS密钥加密,且资源策略通过
    aws:SourceArn
    aws:SourceAccount
    信任
    rds.amazonaws.com
    (防止混淆代理攻击)。
  3. 将九项AD权限委托给限定在单个OU的专用服务账户;通过ADSI Edit而非ADUC委派向导授予User对象的
    servicePrincipalName
    读写权限(ADUC委派向导会过滤该属性)——这是最常见的失败原因。
  4. 在RDS与域控制器之间开放AD端口:DNS 53、Kerberos 88和464、LDAP 389和3268,以及RPC端口范围49152–65535。缺少RPC端口范围是间歇性加入失败的首要原因。时钟偏差需控制在5分钟以内。
  5. RDS主用户为本地账户,无法获取Kerberos票据。AD用户需执行
    kinit
    并获得
    GRANT CONNECT
    权限。Kerberos JDBC使用
    securityMechanism=11
    ,并通过
    sslCertLocation
    指定区域专属PEM(切勿使用
    global-bundle.pem
    )。
  6. 引用自托管AD博客和ad-kerberos.md;通过
    describe-db-instances ... DomainMemberships
    查看
    Status: joined
    验证是否成功加入域。

Troubleshooting

故障排查

ErrorCauseFix
SQL30082N
Password rotated in Secrets ManagerRun
db2_use <instance-id>
— the helper re-fetches the current password and rewrites
~/.db2env
.
SQL1531N
DSN not yet in cache
db2 terminate
to clear, then retry; if still failing, re-run db2client-configure.sh.
SQL01013N
/ TCP timeout
Security group blocks 50000/50443Check SG inbound rules — add client's SG on TCP 50000 (plain) or 50443 (SSL).
GSKit / SSL certificate errorRDS cert bundle missing or RSA cert not firstRe-download
<region>-bundle.pem
from RDS truststore and re-run
db2client-configure.sh
.
Access denied on RDSADMIN callIAM role missing
S3_INTEGRATION
feature
aws rds add-role-to-db-instance --feature-name S3_INTEGRATION --role-arn <role-arn> --db-instance-identifier <id>
.
Restore fails with "database in rollforward pending"ONLINE restore left DB in rollforward stateCall
rdsadmin.rollforward_database
for each archive log, then
rdsadmin.complete_rollforward
.
Standby replica creation failsMissing prereqsVerify: automated backups enabled, custom parameter group in DR region, KMS multi-region key, no pending
rdsadmin
tasks, all databases in active state.
AD domain join
Status
not
joined
RPC port range blocked, wrong secret format, or SPN attribute missingOpen RPC 49152–65535 between RDS and the DCs, confirm the secret username is the sAMAccountName with no
DOMAIN\
prefix, and grant
servicePrincipalName
on User objects via ADSI Edit — see ad-kerberos.md.
import-key-material
fails — token expired
Import token older than 24 hoursRe-run
get-parameters-for-import
for a fresh token and wrapping key, re-wrap the material with
openssl
, then retry the import — see byok-kms.md.
Throttling from RDS APIExceeded API request rateExponential backoff with jitter; batch operations; check Service Quotas.
错误原因修复方法
SQL30082N
Secrets Manager中的密码已轮换运行
db2_use <instance-id>
——该工具会重新获取当前密码并更新
~/.db2env
SQL1531N
DSN尚未缓存运行
db2 terminate
清除缓存,然后重试;如果仍失败,重新运行db2client-configure.sh
SQL01013N
/ TCP超时
安全组阻止了50000/50443端口检查安全组入站规则——添加客户端安全组的TCP 50000(明文)或50443(SSL)端口访问权限。
GSKit / SSL证书错误RDS证书包缺失或RSA证书未排在首位从RDS信任库重新下载
<region>-bundle.pem
,并重新运行
db2client-configure.sh
调用RDSADMIN时访问被拒绝IAM角色缺少
S3_INTEGRATION
特性
运行
aws rds add-role-to-db-instance --feature-name S3_INTEGRATION --role-arn <role-arn> --db-instance-identifier <id>
恢复失败,提示“database in rollforward pending”ONLINE恢复后数据库处于前滚待处理状态为每个归档日志调用
rdsadmin.rollforward_database
,然后调用
rdsadmin.complete_rollforward
备用副本创建失败缺少前提条件验证:已启用自动备份、灾难恢复区域有自定义参数组、存在多区域KMS密钥、无待处理的
rdsadmin
任务、所有数据库处于active状态。
AD域加入
Status
未显示
joined
RPC端口范围被阻止、密钥格式错误或缺少SPN属性在RDS与域控制器之间开放RPC 49152–65535端口,确认密钥中的用户名是不带
DOMAIN\
前缀的sAMAccountName,并通过ADSI Edit授予User对象的
servicePrincipalName
权限——详见ad-kerberos.md
import-key-material
失败——令牌过期
导入令牌已超过24小时重新运行
get-parameters-for-import
获取新令牌和包装密钥,使用
openssl
重新包装密钥材料,然后重试导入——详见byok-kms.md
RDS API请求被限流超出API请求速率限制使用带抖动的指数退避;批量操作;检查服务配额。

Security Considerations

安全注意事项

Surface these controls when advising on any production RDS for Db2 deployment. They consolidate the security guidance that the sub-skill references cover in depth.
  • Encryption at rest and in transit — Always create instances with
    --storage-encrypted
    ; for key ownership and compliance use a customer-managed KMS key (BYOK), and for DR use a multi-region key. Enforce TLS on every connection (port 50443,
    <region>-bundle.pem
    ); never connect in plaintext for production. See byok-kms.md and connectivity-tls.md. (Guideline 1)
  • Least-privilege IAM — Use the scoped policy and trust policy in minimum-iam.md; never attach a
    *FullAccess
    managed policy. Scope
    iam:PassRole
    and ARN-pattern every mutating statement that supports resource-level permissions. (Guideline 5)
  • Network isolation — Keep instances in private subnets, restrict security groups to the application/source SG (never
    0.0.0.0/0
    ), and use VPC endpoints for S3/SSM/Secrets Manager so traffic stays off the public internet. See colocation.md. (Guideline 5)
  • Audit logging and monitoring — Enable Db2 audit to S3 (db2-audit.md), RDS Enhanced Monitoring, and CloudTrail for RDS/KMS/Secrets Manager API calls. Alarm on failed logins and configuration changes. (Guideline 12)
  • Secret rotation — Provision with
    --manage-master-user-password
    so RDS stores and rotates the master password in Secrets Manager; never embed plaintext passwords. After rotation, refresh clients with
    db2_use <instance-id>
    . (Guideline 13)
  • Backup encryption and retention — Set a backup retention period, encrypt automated and manual snapshots with your KMS key, and apply S3 bucket encryption plus lifecycle/retention to any Db2 audit or backup buckets. (Guideline 13)
在为生产环境的RDS for Db2部署提供建议时,需告知以下控制措施。这些措施整合了子技能参考文档中深入覆盖的安全指导。
  • 静态与传输加密——创建实例时始终指定
    --storage-encrypted
    ;为了密钥所有权与合规性,使用客户托管KMS密钥(BYOK),灾难恢复场景使用多区域密钥。强制所有连接使用TLS(端口50443,
    <region>-bundle.pem
    );生产环境绝不使用明文连接。详见byok-kms.mdconnectivity-tls.md。(准则1)
  • 最小权限IAM——使用minimum-iam.md中的限定策略和信任策略;绝不附加
    *FullAccess
    托管策略。限定
    iam:PassRole
    权限,并为所有支持资源级权限的变更语句指定ARN模式。(准则5)
  • 网络隔离——将实例部署在私有子网中,限制安全组仅允许应用/源安全组访问(绝不允许
    0.0.0.0/0
    ),并使用S3/SSM/Secrets Manager的VPC端点,使流量不经过公网。详见colocation.md。(准则5)
  • 审计日志与监控——启用Db2审计日志导出至S3(db2-audit.md)、RDS增强监控,以及RDS/KMS/Secrets Manager API调用的CloudTrail日志。对失败登录和配置变更设置告警。(准则12)
  • 密钥轮换——创建实例时指定
    --manage-master-user-password
    ,使RDS将主密码存储在Secrets Manager并自动轮换;绝不嵌入明文密码。轮换后,通过
    db2_use <instance-id>
    刷新客户端凭证。(准则13)
  • 备份加密与保留——设置备份保留期,使用您的KMS密钥加密自动和手动快照,并对Db2审计或备份存储桶应用S3存储桶加密及生命周期/保留策略。(准则13)

Additional Resources

额外资源

In-scope documentation and blogs

范围内的文档与博客

Related topics (cited resources, not yet routed sub-skills)

相关主题(引用资源,尚未路由的子技能)

These adjacent topics are not expanded into routed references in this iteration. Each is discoverable through the cited resource below.
这些相邻主题在本次迭代中未扩展为路由参考文档。可通过以下引用资源找到相关内容。

Blog catalog

博客目录

The authoritative list of published RDS for Db2 blogs and sample tools is maintained at https://github.com/aws-samples/sample-rds-db2-tools/tree/main — consult it for the current set of blog articles and companion code.
  • Related skill (migrating off Db2 LUW to PostgreSQL):
    rds-postgres-migration
    (if present in corpus).
已发布的RDS for Db2博客和示例工具的权威列表维护在https://github.com/aws-samples/sample-rds-db2-tools/tree/main ——如需最新的博客文章和配套代码,请查阅该目录。
  • 相关技能(从Db2 LUW迁移至PostgreSQL):
    rds-postgres-migration
    (如果语料库中存在)。

Handoff from aws-database-selection

从aws-database-selection移交

This skill can be invoked directly, or it can be entered from the
aws-database-selection
parent skill after that skill has run a requirements interview and produced a
requirements.json
artifact. When you see a backtick-wrapped path matching
aws_dbs_requirements/*/requirements.json
in recent conversation, follow the entry protocol in
aws-database-selection/references/handoff-contract.md
:
  1. Read the artifact using
    file_read
    .
  2. Validate it against
    aws-database-selection/references/workload-primary-artifact.schema.json
    . If malformed or unreadable, tell the user and proceed without it.
  3. Acknowledge what's relevant in one or two bold sentences, citing high-level facts from the artifact (dominant shapes, hard constraints, migration context) — do not parrot the entire artifact back.
  4. Scope-check: this skill is scoped to Amazon RDS for Db2 — migrations from Db2 z/OS or LUW, HADR, standby replicas, SQL PL routines, Q Replication cutovers. If the artifact's
    workload_primaries.dominant_shapes
    or
    migration_context
    don't match that scope, emit weak backpressure per the handoff contract: suggest
    amazon-aurora
    for refactor-to-PostgreSQL from Db2, or go back to
    aws-database-selection
    if Db2 isn't the source, then ask the user whether to go back or proceed anyway. Do not silently misuse the artifact.
  5. Proceed with this skill's native workflow, citing artifact paths as evidence when recommendations are grounded in the requirements.
The curated RDS-for-Db2 selection facts that the parent
aws-database-selection
skill consumes live at
assets/selection-knowledge-input.json
(with a human-readable companion at
assets/selection-knowledge-input.md
). These capture the in-scope source-migration scenarios, hard constraints, HA/DR options, and security areas in a structured, reusable form — read them when you need the curated selection view rather than re-deriving it.
All user-facing output from this skill follows the markdown-primitives-only formatting convention in the handoff contract: bold labels, backticks for paths and enum values, bullet lists for alternatives, no ASCII art or box-drawing characters.
本技能可直接调用,也可在
aws-database-selection
父技能完成需求访谈并生成
requirements.json
工件后进入。如果在近期对话中看到反引号包裹的路径匹配
aws_dbs_requirements/*/requirements.json
,请遵循
aws-database-selection/references/handoff-contract.md
中的进入协议:
  1. 使用
    file_read
    读取该工件。
  2. 根据
    aws-database-selection/references/workload-primary-artifact.schema.json
    验证工件。如果格式错误或无法读取,告知用户并继续执行,不使用该工件。
  3. 用一到两句加粗语句确认相关内容,引用工件中的高级事实(主要场景、硬约束、迁移上下文)——不得复述整个工件。
  4. 范围检查:本技能的范围为Amazon RDS for Db2——包括从Db2 z/OS或LUW迁移、HADR、备用副本、SQL PL例程、Q Replication切换。如果工件的
    workload_primaries.dominant_shapes
    migration_context
    与该范围不匹配,请根据移交协议发出弱拒绝:建议对于从Db2重构至PostgreSQL的场景使用
    amazon-aurora
    技能,或如果Db2不是源数据库,返回
    aws-database-selection
    技能,然后询问用户是返回还是继续执行。不得擅自误用该工件。
  5. 继续执行本技能的原生工作流,当建议基于需求时,引用工件路径作为依据。
父技能
aws-database-selection
使用的RDS-for-Db2精选事实存储在
assets/selection-knowledge-input.json
(配套的可读版本为
assets/selection-knowledge-input.md
)。这些内容以结构化、可复用的形式涵盖了范围内的源迁移场景、硬约束、HA/DR选项和安全领域——当需要精选的选型视图时,请阅读这些内容,而非自行推导。
本技能的所有用户输出均遵循移交协议中的仅Markdown原语格式约定:使用加粗标签、反引号标注路径和枚举值、项目符号列表展示替代方案,不得使用ASCII艺术或框线字符。