rds-db2
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAmazon RDS for Db2
Amazon RDS for Db2
Overview
概述
Amazon RDS for Db2 is a managed IBM Db2 LUW service. RDS for Db2 is managed — you cannot SSH to the host, install agents, or run unfenced external stored procedures in C/COBOL. Java stored procedures work via . This skill covers the operator lifecycle: provisioning with IBM licensing, client install and TLS connectivity, migration from self-managed Db2 on Linux/AIX/Windows/z/OS/AS400, S3 backup and restore, Multi-AZ and cross-region standby replicas, and RDSADMIN stored procedures that replace SYSCTRL/SYSMAINT authority.
sqlj.install_jarIt also covers six additional security and operations areas: customer-managed KMS keys (BYOK), self-managed Active Directory with Kerberos authentication, Db2 audit to S3, code page and collation selection (EBCDIC, CCSID), minimum IAM permissions, and EC2/RDS colocation for Multi-AZ latency and failover.
The AWS MCP server is recommended but not required; all operations are expressed in AWS CLI syntax and run with or without it.
Routes to the matching sub-skill reference. Load only the matching reference.
Amazon RDS for Db2是一款托管式IBM Db2 LUW服务。RDS for Db2为托管服务——您无法通过SSH连接到主机、安装代理,或运行C/COBOL编写的非fenced外部存储过程。Java存储过程可通过正常运行。本技能涵盖完整的运维生命周期:使用IBM许可进行实例配置、客户端安装与TLS连接、从Linux/AIX/Windows/z/OS/AS400上的自托管Db2迁移、S3备份与恢复、Multi-AZ与跨区域备用副本,以及替代SYSCTRL/SYSMAINT权限的RDSADMIN存储过程。
sqlj.install_jar同时,本技能还覆盖六大安全与运维领域:客户托管KMS密钥(BYOK)、支持Kerberos认证的自托管Active Directory、Db2审计日志导出至S3、代码页与排序规则选择(EBCDIC、CCSID)、最小化IAM权限配置,以及为优化Multi-AZ延迟与故障转移的EC2/RDS共置部署。
推荐使用AWS MCP服务器,但并非强制要求;所有操作均以AWS CLI语法呈现,无论是否安装MCP服务器均可运行。
根据匹配的子技能路由至对应参考文档,仅加载匹配的参考内容。
Common Tasks
常见任务
Verify Dependencies
验证依赖项
Before executing an RDS for Db2 workflow, confirm required tools exist. Do not run installers or API calls yet.
- AWS CLI v2 for every RDS API call
- AWS credentials via managed mechanism (IAM role, instance profile, ) — not pasted credentials
ada credentials update - Client install: /
bashaccess, run as root and ascurldb2inst1 - Airgap install: internet-connected machine + target with VPC endpoints for S3, SSM, Secrets Manager
- Mainframe migration: z/OS access, IBM ADB2GEN license, Python 3
- BYOK / customer-managed KMS: (to wrap imported key material) and
openssl(to parsejqoutput)get-parameters-for-import - Self-managed Active Directory + Kerberos: ,
realmd,sssd,adclion the client, plus a valid Kerberos ticket (krb5-workstationproduces a TGT — check withkinit)klist - Kerberos JDBC test: a JDK and the Db2 JDBC driver v4.33+ (earlier driver versions lack
db2jcc4.jarKerberos support)securityMechanism=11
Constraints:
- The agent MUST check dependencies before running any install or AWS API command.
- The agent MUST NOT prompt the user to paste credentials because credentials MUST flow through an IAM role or instance profile.
- The agent MUST tell the user which dependencies are missing and MUST respect the user's decision to abort.
- The agent MUST explain, for each step, what it does, why, and which tool will be invoked — before invoking it.
执行RDS for Db2工作流前,需确认所需工具已就绪。请勿立即运行安装程序或API调用。
- 所有RDS API调用均需AWS CLI v2
- 通过托管机制(IAM角色、实例配置文件、)获取AWS凭证——禁止使用粘贴的凭证
ada credentials update - 客户端安装:需具备/
bash访问权限,以root和curl身份运行db2inst1 - 离线安装:需一台联网机器,且目标环境具备S3、SSM、Secrets Manager的VPC端点
- 大型机迁移:需z/OS访问权限、IBM ADB2GEN许可、Python 3
- BYOK/客户托管KMS:需(用于包装导入的密钥材料)和
openssl(用于解析jq输出)get-parameters-for-import - 自托管Active Directory + Kerberos:客户端需安装、
realmd、sssd、adcli,且需持有有效的Kerberos票据(运行krb5-workstation生成TGT,通过kinit检查)klist - Kerberos JDBC测试:需JDK及v4.33+版本的Db2 JDBC驱动(早期驱动版本不支持
db2jcc4.jar的Kerberos认证)securityMechanism=11
约束条件:
- 代理必须在运行任何安装或AWS API命令前检查依赖项。
- 代理不得提示用户粘贴凭证,因为凭证必须通过IAM角色或实例配置文件传递。
- 代理必须告知用户缺少哪些依赖项,且必须尊重用户终止操作的决定。
- 代理必须在执行每一步操作前,解释该操作的内容、原因及将调用的工具。
Classify and Route
分类与路由
Map the user's question to the correct sub-skill reference, then load only that file.
| User says | Sub-skill | Load |
|---|---|---|
| create / provision / parameter group / IBM customer ID / IBM site ID / License Manager / BYOL / GovCloud | provisioning | provisioning.md |
| connect / SQL30082N / SQL1531N / DSN / CLP / Python / Java / CloudShell / airgap | connectivity | connectivity.md |
| SSL / TLS / GSKit / certificate / truststore / bundle.pem | connectivity-tls | connectivity-tls.md |
| Python driver / JDBC / laptop / multi-instance / db2_use | connection drivers | connection-drivers.md |
| migrate / DMS / Q Replication / IIDR / AIX / Windows / AS400 / precheck | migration | migration.md |
| z/OS / mainframe / ADB2GEN / schema conversion | mainframe-migration | mainframe-migration.md |
| code page / collation / CCSID / EBCDIC / UTF-8 / CODEUNITS32 / territory | code page & collation | code-page-collation.md |
| snapshot / backup / restore / rollforward / PiTR / S3 integration | backup-restore | backup-restore.md |
| Multi-AZ / standby replica / read replica / HADR / cross-region / failover | ha-dr | ha-dr.md |
| parameter group / RDSADMIN / scale / storage / CloudWatch / registry variable | operations | operations.md |
| BYOK / customer-managed KMS / bring your own key / imported key material / multi-region key | byok | byok-kms.md |
| Active Directory / Kerberos / domain join / self-managed AD / kinit / SPN / realm | ad-kerberos | ad-kerberos.md |
| audit / DB2_AUDIT / audit policy / audit to S3 / option group | db2-audit | db2-audit.md |
| minimum IAM / least privilege / IAM policy / trust policy / permissions | minimum-iam | minimum-iam.md |
| colocation / co-locate / EC2 app latency / ASG / ALB / failover routing | colocation | colocation.md |
Constraints:
- The agent MUST read only the reference files that match the user's question, to keep the context focused.
- The agent MUST NOT invent RDSADMIN procedure signatures, because wrong parameter order will fail at runtime — always cite the signature from the reference file.
- The agent MUST cite the source blog URL when an answer is blog-sourced, so the user can verify specifics.
- If a question crosses two sub-skills (e.g. "migrate z/OS with near-zero downtime", or "BYOK plus cross-region standby"), the agent SHOULD load each matching reference and combine them.
将用户的问题映射至正确的子技能参考文档,仅加载该文档。
| 用户提问关键词 | 子技能 | 加载文档 |
|---|---|---|
| create / provision / parameter group / IBM customer ID / IBM site ID / License Manager / BYOL / GovCloud | 实例配置 | provisioning.md |
| connect / SQL30082N / SQL1531N / DSN / CLP / Python / Java / CloudShell / airgap | 连接配置 | connectivity.md |
| SSL / TLS / GSKit / certificate / truststore / bundle.pem | TLS连接 | connectivity-tls.md |
| Python driver / JDBC / laptop / multi-instance / db2_use | 连接驱动 | connection-drivers.md |
| migrate / DMS / Q Replication / IIDR / AIX / Windows / AS400 / precheck | 数据库迁移 | migration.md |
| z/OS / mainframe / ADB2GEN / schema conversion | 大型机迁移 | mainframe-migration.md |
| code page / collation / CCSID / EBCDIC / UTF-8 / CODEUNITS32 / territory | 代码页与排序规则 | code-page-collation.md |
| snapshot / backup / restore / rollforward / PiTR / S3 integration | 备份与恢复 | backup-restore.md |
| Multi-AZ / standby replica / read replica / HADR / cross-region / failover | 高可用与灾难恢复 | ha-dr.md |
| parameter group / RDSADMIN / scale / storage / CloudWatch / registry variable | 运维管理 | operations.md |
| BYOK / customer-managed KMS / bring your own key / imported key material / multi-region key | 客户托管密钥 | byok-kms.md |
| Active Directory / Kerberos / domain join / self-managed AD / kinit / SPN / realm | AD与Kerberos认证 | ad-kerberos.md |
| audit / DB2_AUDIT / audit policy / audit to S3 / option group | Db2审计配置 | db2-audit.md |
| minimum IAM / least privilege / IAM policy / trust policy / permissions | 最小化IAM权限 | minimum-iam.md |
| colocation / co-locate / EC2 app latency / ASG / ALB / failover routing | 资源共置部署 | colocation.md |
约束条件:
- 代理必须仅读取与用户问题匹配的参考文档,以保持上下文聚焦。
- 代理不得自行编造RDSADMIN存储过程的签名,因为错误的参数顺序会导致运行失败——必须始终引用参考文档中的签名。
- 当答案来源于博客时,代理必须标注源博客URL,以便用户验证细节。
- 如果问题涉及两个子技能(例如“零停机迁移z/OS”或“BYOK+跨区域备用副本”),代理应加载所有匹配的参考文档并整合内容。
Execute Workflow
执行工作流
Once routed, give the user a concrete, runnable answer grounded in the reference file.
Parameter acquisition:
- All required parameters (region, instance identifier, source/target ARNs, S3 bucket, prefix, the value) MUST be collected upfront in a single message.
--master-username - Parameter formats MUST be specified: region -style; instance identifier
us-east-1; ARN^[a-zA-Z][a-zA-Z0-9-]{0,62}$; S3 bucket 3–63 chars lowercase.arn:aws:rds:<region>:<account>:db:<name> - The agent MUST accept parameters via direct input, a JSON/YAML file path, or a URL.
Tool use:
- Use AWS CLI for RDS operations (example: ). Every operation is expressed in AWS CLI syntax so it runs whether or not the AWS MCP server is installed.
aws rds create-db-instance-read-replica --db-instance-identifier <name> --source-db-instance-identifier <arn> --replica-mode mounted --region <dr-region> - Use bundled scripts — db2-driver.sh, db2client-configure.sh, db2client-airgap.sh, functions.sh — instead of rewriting install steps.
- Write migration plans, upgrade plans, validation reports to a local directory created at runtime in the working directory (this is a run-time output location, not part of the shipped skill).
artifacts/<app-name>/
Constraints:
- The agent MUST give exact CLI commands when behavior is deterministic, not descriptions like "enable Multi-AZ".
- The agent MUST obtain AWS credentials through an IAM role or instance profile and MUST NOT prompt the user to paste credentials.
- The agent MUST cite the source blog or documentation URL whenever the answer is sourced from published material, so the user can verify it.
- The agent MUST write long-form artifacts to a local directory (created at runtime in the working directory) so the workspace is inspectable.
artifacts/<app-name>/ - When a requested action is unsupported on managed RDS for Db2, the agent MUST state the limitation plainly — no hedging like "limited support" or "with special config" — and offer a supported alternative (for example, unfenced C/COBOL stored procedures are not supported; rewrite them in Java via , or in SQL PL).
sqlj.install_jar - The AWS MCP server is recommended but not required. When the MCP server is in use, prefer inline JSON strings over positional filesystem arguments with ; this is guidance for the MCP path only, not a requirement. Never treat
call_awsorcall_awsas the only way to perform an operation — the AWS CLI command always works on its own.run_script
完成路由后,为用户提供基于参考文档的具体可运行解决方案。
参数获取:
- 所有必填参数(区域、实例标识符、源/目标ARN、S3存储桶、前缀、值)必须在一条消息中一次性收集。
--master-username - 必须明确参数格式:区域为格式;实例标识符需符合
us-east-1;ARN为^[a-zA-Z][a-zA-Z0-9-]{0,62}$格式;S3存储桶为3-63个小写字符。arn:aws:rds:<region>:<account>:db:<name> - 代理必须接受通过直接输入、JSON/YAML文件路径或URL提供的参数。
工具使用:
- 使用AWS CLI执行RDS操作(示例:)。所有操作均以AWS CLI语法呈现,无论是否安装AWS MCP服务器均可运行。
aws rds create-db-instance-read-replica --db-instance-identifier <name> --source-db-instance-identifier <arn> --replica-mode mounted --region <dr-region> - 使用捆绑脚本——db2-driver.sh、db2client-configure.sh、db2client-airgap.sh、functions.sh——而非重写安装步骤。
- 将迁移计划、升级计划、验证报告写入运行时在工作目录创建的本地目录(此为运行时输出位置,不属于技能交付内容)。
artifacts/<app-name>/
约束条件:
- 当行为确定时,代理必须提供精确的CLI命令,而非“启用Multi-AZ”这类描述性语句。
- 代理必须通过IAM角色或实例配置文件获取AWS凭证,不得提示用户粘贴凭证。
- 当答案来源于已发布的材料时,代理必须标注源博客或文档URL,以便用户验证。
- 代理必须将长篇工件写入本地目录(运行时在工作目录创建),以便检查工作区。
artifacts/<app-name>/ - 当请求的操作在托管式RDS for Db2上不被支持时,代理必须明确说明限制——不得使用“有限支持”或“需特殊配置”这类含糊表述——并提供支持的替代方案(例如,非fenced C/COBOL存储过程不被支持;可通过重写为Java存储过程,或使用SQL PL)。
sqlj.install_jar - 推荐使用AWS MCP服务器,但并非强制要求。使用MCP服务器时,优先使用内联JSON字符串而非的位置文件系统参数;此仅为MCP路径的指导原则,非强制要求。切勿将
call_aws或call_aws视为执行操作的唯一方式——AWS CLI命令可独立运行。run_script
Resource tagging (always apply on resource creation)
资源标签(创建资源时始终添加)
When creating any RDS for Db2 resource (, , for Multi-AZ deployments, for standby replicas), ALWAYS include these tags using the RDS list-of-records syntax:
create-db-instancecreate-db-parameter-groupcreate-db-clustercreate-db-instance-read-replica--tags--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value={your-model-id}Example:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value=claude-sonnet-4-20250514The same convention applies to every resource this skill creates, including BYOK-encrypted instances (), audit option groups (), and customer-managed KMS keys (, tagged with per the KMS tag syntax).
create-db-instance --storage-encrypted --kms-key-id ...create-option-groupkms create-key--tags TagKey=created_by,TagValue=rds-db2-skill TagKey=generation_model,TagValue={your-model-id}Include these tags even if the user does not mention tagging, so that they can identify the resources created via this skill. If the user provides additional tags, append these to their tags rather than replacing them. The same applies when tagging via on existing resources.
add-tags-to-resource创建任何RDS for Db2资源(、、Multi-AZ部署的、备用副本的)时,必须使用RDS的记录列表语法添加以下标签:
create-db-instancecreate-db-parameter-groupcreate-db-clustercreate-db-instance-read-replica--tags--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value={your-model-id}示例:
--tags Key=created_by,Value=rds-db2-skill Key=generation_model,Value=claude-sonnet-4-20250514此约定适用于本技能创建的所有资源,包括BYOK加密实例()、审计选项组()以及客户托管KMS密钥(,根据KMS标签语法添加)。
create-db-instance --storage-encrypted --kms-key-id ...create-option-groupkms create-key--tags TagKey=created_by,TagValue=rds-db2-skill TagKey=generation_model,TagValue={your-model-id}即使用户未提及标签,也必须添加这些标签,以便用户识别通过本技能创建的资源。如果用户提供额外标签,需将这些标签追加到用户提供的标签之后,而非替换。对现有资源通过添加标签时同样适用此规则。
add-tags-to-resourceRDS-managed facts the agent must always surface
代理必须始终告知的RDS托管特性
These RDS-for-Db2-specific facts are what differentiates this skill from general IBM Db2 knowledge. General-Db2 answers typically omit the RDS-managed constraints (no unfenced C/COBOL, Secrets Manager rotation side effects, procedures) and the AWS-native migration tooling nuances (DMS z/OS limits, ADB2GEN vs SCT).
rdsadmin.*For "create cross-region standby replica for DR", you MUST tell the user ALL of the following six facts:
- Use with
aws rds create-db-instance-read-replicaand the cross-region source ARN — Db2 cross-region standby uses mounted replica mode, NOT transactional read-replica mode.--replica-mode mounted - Source prerequisite: automated backups enabled on the source instance (backup retention period > 0).
- Target-region prerequisite: custom parameter group created in the target region before the command runs.
- Target-region prerequisite: KMS key available in the target region (multi-region KMS key or a target-region customer-managed KMS key).
- State prerequisites: all databases in state, no pending reboots, no license-model restrictions blocking cross-region replicas.
active - Explain the mounted-vs-transactional distinction — mounted replicas do not accept reads or SQL from applications; they exist purely as a DR standby that can be promoted. Do not suggest read offload use cases.
For "restore Db2 backup from S3 (multi-part, N files)", you MUST tell the user ALL of the following six facts — never omit any of the procedure names:
- Attach IAM role with S3 access via using
aws rds add-role-to-db-instance.--feature-name S3_INTEGRATION - Set restore performance parameters via — tune
rdsadmin.set_configuration,USE_STREAMING_RESTORE, andRESTORE_DATABASE_NUM_BUFFERSbefore starting the restore.PARALLELISM - Call with five parameters in this exact order: database name, restore mode (
rdsadmin.restore_databaseorOFFLINE), S3 prefix, S3 bucket, and region. Multi-file (multi-part) backups are handled by the shared prefix — there is no separate multi-part flag parameter. (Signature:ONLINE.)rdsadmin.restore_database(dbname, type, prefix, bucket, region) - For restore mode, follow up with
ONLINEto replay archive logs, thenrdsadmin.rollforward_databaseto finish.rdsadmin.complete_rollforwardrestores do NOT need rollforward.OFFLINE - Monitor progress with — every
rdsadmin.get_task_statusprocedure returns a task ID you poll.rdsadmin - Warn about VPC endpoint for S3 if no internet egress from the private subnet, and warn about Db2 version compatibility between the source backup and the RDS instance engine version (forward-compatible, not backward).
For "C/COBOL unfenced external stored procedures — lift and shift to RDS for Db2?", you MUST tell the user ALL of the following four facts:
- Unfenced external stored procedures in C and COBOL are NOT supported on RDS for Db2. State this as an unqualified "not supported" — do not hedge with "limited support" or "with special config."
- All routines on RDS for Db2 MUST be fenced. This is a managed-service architectural constraint, not a flag.
- Java stored procedures are supported — install via . C/COBOL SPs should be rewritten in Java or SQL PL (Db2's procedural SQL, equivalent to Oracle's PL/SQL).
sqlj.install_jar - Offer to help identify which SPs are unfenced and prioritize the rewrite by call frequency (hot code path first).
For "migrate Db2 for z/OS to RDS for Db2 with near-zero downtime", you MUST tell the user ALL of the following five facts:
- For near-zero-downtime from z/OS, use Q Replication (IBM IIDR), Qlik Replicate, or Precisely — these are the CDC tools that support Db2 for z/OS as a source streaming to RDS for Db2.
- AWS DMS supports FULL LOAD ONLY from Db2 for z/OS. DMS does NOT support CDC from z/OS sources. Use DMS for a one-time bulk load, not for near-zero-downtime cutover.
- Use ADB2GEN for schema conversion from z/OS. AWS SCT does NOT support Db2 for z/OS as a source — this is a common trap. Do not recommend SCT for z/OS sources.
- Code-page conversion (EBCDIC → UTF-8) is the primary migration risk. Plan explicit collation and code page mapping before cutover — silent data corruption is the failure mode.
- Plan explicit collation selection on the target RDS instance to match the semantic ordering of the z/OS source.
For "SQL30082N — USERNAME AND/OR PASSWORD INVALID" with RDS-managed master user (user didn't change it), you MUST tell the user ALL of the following four facts:
- SQL30082N after a previously-working connection almost always means the master password rotated in Secrets Manager. RDS for Db2 rotates the master password on the Secrets Manager schedule — clients using a cached password will start failing with SQL30082N even though nothing on their side changed.
- Fix: run (from
db2_use <instance-id>/ the bundled helpers). This fetches the current password from Secrets Manager and rewritesfunctions.shwith the new value.~/.db2env - Alternative: to verify the helper's fix worked end-to-end.
db2_test_connection - If isn't installed, the user needs to pull the current password with
db2_useand update their local credential cache manually. Do not tell them to rotate the password — the password rotation is what caused the problem.aws secretsmanager get-secret-value
For "BYOK / customer-managed KMS key for RDS for Db2", you MUST tell the user ALL of the following six facts:
- Use a multi-region KMS key with when importing your own key material, so the same key ID and material can replicate to a DR region.
--origin EXTERNAL - The creating principal needs and
kms:CreateGranton the key, or instance creation fails.kms:DescribeKey - Encryption is set at instance creation with . You cannot encrypt an existing unencrypted instance in place — go snapshot →
--storage-encrypted --kms-key-id <alias|arn>→copy-db-snapshot --kms-key-id.restore-db-instance-from-db-snapshot - For cross-region DR, replicate the multi-region key () into the DR region first, then
kms:ReplicateKeyacross regions with the replica key.copy-db-snapshot - Import tokens expire after 24 hours — if fails on expiry, re-run
import-key-materialto get a fresh token and wrapping key.get-parameters-for-import - Cite blog DBBLOG-5188 and byok-kms.md; do not invent KMS parameter names.
For "self-managed Active Directory with Kerberos on RDS for Db2", you MUST tell the user ALL of the following six facts:
- RDS joins your AD via ,
--domain-fqdn,--domain-ou, and--domain-auth-secret-arn— the self-managed AD path, with no AWS Managed Microsoft AD required.--domain-dns-ips - The Secrets Manager secret uses keys (the sAMAccountName only — no
SELF_MANAGED_ACTIVE_DIRECTORY_USERNAMEprefix, which fails creation) andDOMAIN\, encrypted by a dedicated KMS key, with a resource policy trustingSELF_MANAGED_ACTIVE_DIRECTORY_PASSWORDguarded byrds.amazonaws.comandaws:SourceArn(confused-deputy protection).aws:SourceAccount - Delegate the nine AD permissions to a dedicated service account scoped to one OU; grant read/write on User objects using ADSI Edit, not the ADUC delegation wizard (which filters that attribute out) — this is the most common failure.
servicePrincipalName - Open AD ports between RDS and the domain controllers: DNS 53, Kerberos 88 and 464, LDAP 389 and 3268, and the RPC range 49152–65535. Missing the RPC range is the top cause of intermittent join failures. Keep clock skew under 5 minutes.
- The RDS master user is a local account that cannot get a Kerberos ticket. AD users need plus a
kinit. Kerberos JDBC usesGRANT CONNECTand a region-specific PEM viasecurityMechanism=11(neversslCertLocation).global-bundle.pem - Cite the self-managed AD blog and ad-kerberos.md; verify with showing
describe-db-instances ... DomainMemberships.Status: joined
这些RDS for Db2专属特性是本技能区别于通用IBM Db2知识的核心。通用Db2答案通常会忽略RDS托管约束(不支持非fenced C/COBOL、Secrets Manager轮换副作用、存储过程)以及AWS原生迁移工具的细节(DMS z/OS限制、ADB2GEN与SCT的差异)。
rdsadmin.*对于“为灾难恢复创建跨区域备用副本”,必须告知用户以下全部六个事实:
- 使用并指定
aws rds create-db-instance-read-replica和跨区域源ARN——Db2跨区域备用副本使用挂载副本模式,而非事务性只读副本模式。--replica-mode mounted - 源实例前提条件:启用自动备份(备份保留期>0)。
- 目标区域前提条件:提前在目标区域创建自定义参数组。
- 目标区域前提条件:目标区域需有可用的KMS密钥(多区域KMS密钥或目标区域的客户托管KMS密钥)。
- 状态前提条件:所有数据库处于状态,无待处理重启,无许可证模型限制阻止跨区域副本创建。
active - 解释挂载模式与事务模式的区别——挂载副本不接受应用的读取或SQL请求;其仅作为灾难恢复备用副本,可被提升为主实例。请勿建议将其用于读取分流场景。
对于“从S3恢复Db2备份(多部分、N个文件)”,必须告知用户以下全部六个事实——不得省略任何存储过程名称:
- 通过附加具备S3访问权限的IAM角色,并指定
aws rds add-role-to-db-instance。--feature-name S3_INTEGRATION - 通过设置恢复性能参数——在开始恢复前调整
rdsadmin.set_configuration、USE_STREAMING_RESTORE和RESTORE_DATABASE_NUM_BUFFERS。PARALLELISM - 调用,并按以下精确顺序传入五个参数:数据库名称、恢复模式(
rdsadmin.restore_database或OFFLINE)、S3前缀、S3存储桶、区域。多文件(多部分)备份通过共享前缀处理——无单独的多部分标志参数。(签名:ONLINE。)rdsadmin.restore_database(dbname, type, prefix, bucket, region) - **对于恢复模式,后续需调用
ONLINE**重放归档日志,然后调用rdsadmin.rollforward_database完成恢复。rdsadmin.complete_rollforward恢复无需执行前滚操作。OFFLINE - 通过监控进度——每个
rdsadmin.get_task_status存储过程都会返回一个任务ID,需轮询该ID获取状态。rdsadmin - 警告:如果私有子网无互联网出口,需配置S3的VPC端点,同时警告源备份与RDS实例引擎版本的Db2兼容性(仅向前兼容,不向后兼容)。
对于“将C/COBOL非fenced外部存储过程迁移至RDS for Db2?”,必须告知用户以下全部四个事实:
- RDS for Db2不支持C和COBOL编写的非fenced外部存储过程。需明确说明“不支持”——不得使用“有限支持”或“需特殊配置”这类含糊表述。
- RDS for Db2上的所有例程必须为fenced。这是托管服务的架构约束,而非可配置的标志。
- 支持Java存储过程——通过安装。C/COBOL存储过程应重写为Java或SQL PL(Db2的过程化SQL,等效于Oracle的PL/SQL)。
sqlj.install_jar - 可协助识别哪些存储过程为非fenced,并按调用频率优先重写(优先处理热点代码路径)。
对于“近乎零停机将Db2 for z/OS迁移至RDS for Db2”,必须告知用户以下全部五个事实:
- 从z/OS进行近乎零停机迁移,需使用Q Replication(IBM IIDR)、Qlik Replicate或Precisely——这些CDC工具支持将Db2 for z/OS作为源,流式传输至RDS for Db2。
- AWS DMS仅支持从Db2 for z/OS进行全量加载。DMS不支持从z/OS源进行CDC。DMS适用于一次性批量加载,不适用于近乎零停机切换。
- 使用ADB2GEN进行z/OS到目标的 schema 转换。AWS SCT不支持Db2 for z/OS作为源——这是常见陷阱。请勿为z/OS源推荐SCT。
- 代码页转换(EBCDIC → UTF-8)是主要迁移风险。切换前需规划明确的排序规则和代码页映射——静默数据损坏是主要失败模式。
- 在目标RDS实例上规划明确的排序规则选择,以匹配z/OS源的语义排序。
对于“SQL30082N — USERNAME AND/OR PASSWORD INVALID”(用户未修改过RDS托管的主用户密码),必须告知用户以下全部四个事实:
- 之前正常的连接突然出现SQL30082N错误,几乎总是因为Secrets Manager中的主密码已轮换。RDS for Db2会按照Secrets Manager的计划轮换主密码——使用缓存密码的客户端会开始出现SQL30082N错误,即使客户端本身未做任何更改。
- 修复方法:运行(来自
db2_use <instance-id>/捆绑工具)。此工具会从Secrets Manager获取当前密码,并更新functions.sh中的值。~/.db2env - **替代方法:运行**验证工具修复是否生效。
db2_test_connection - 如果未安装,用户需通过
db2_use获取当前密码,并手动更新本地凭证缓存。请勿告知用户轮换密码——密码轮换正是问题的起因。aws secretsmanager get-secret-value
对于“RDS for Db2的BYOK/客户托管KMS密钥”,必须告知用户以下全部六个事实:
- 导入自有密钥材料时,使用的多区域KMS密钥,以便同一密钥ID和材料可复制到灾难恢复区域。
--origin EXTERNAL - 创建主体需要密钥的和
kms:CreateGrant权限,否则实例创建会失败。kms:DescribeKey - 加密在实例创建时设置,需指定。您无法对现有未加密实例进行原地加密——需执行快照→
--storage-encrypted --kms-key-id <alias|arn>→copy-db-snapshot --kms-key-id流程。restore-db-instance-from-db-snapshot - 对于跨区域灾难恢复,需先将多区域密钥复制到灾难恢复区域(),然后使用副本密钥跨区域复制数据库快照。
kms:ReplicateKey - 导入令牌24小时后过期——如果因令牌过期失败,需重新运行
import-key-material获取新令牌和包装密钥。get-parameters-for-import - 引用博客DBBLOG-5188和byok-kms.md;不得自行编造KMS参数名称。
对于“RDS for Db2的自托管Active Directory与Kerberos认证”,必须告知用户以下全部六个事实:
- RDS通过、
--domain-fqdn、--domain-ou和--domain-auth-secret-arn加入您的AD——此为自托管AD路径,无需AWS托管Microsoft AD。--domain-dns-ips - Secrets Manager密钥使用(仅sAMAccountName——不得包含
SELF_MANAGED_ACTIVE_DIRECTORY_USERNAME前缀,否则创建会失败)和DOMAIN\作为密钥,由专用KMS密钥加密,且资源策略通过SELF_MANAGED_ACTIVE_DIRECTORY_PASSWORD和aws:SourceArn信任aws:SourceAccount(防止混淆代理攻击)。rds.amazonaws.com - 将九项AD权限委托给限定在单个OU的专用服务账户;通过ADSI Edit而非ADUC委派向导授予User对象的读写权限(ADUC委派向导会过滤该属性)——这是最常见的失败原因。
servicePrincipalName - 在RDS与域控制器之间开放AD端口:DNS 53、Kerberos 88和464、LDAP 389和3268,以及RPC端口范围49152–65535。缺少RPC端口范围是间歇性加入失败的首要原因。时钟偏差需控制在5分钟以内。
- RDS主用户为本地账户,无法获取Kerberos票据。AD用户需执行并获得
kinit权限。Kerberos JDBC使用GRANT CONNECT,并通过securityMechanism=11指定区域专属PEM(切勿使用sslCertLocation)。global-bundle.pem - 引用自托管AD博客和ad-kerberos.md;通过查看
describe-db-instances ... DomainMemberships验证是否成功加入域。Status: joined
Troubleshooting
故障排查
| Error | Cause | Fix |
|---|---|---|
| Password rotated in Secrets Manager | Run |
| DSN not yet in cache | |
| Security group blocks 50000/50443 | Check SG inbound rules — add client's SG on TCP 50000 (plain) or 50443 (SSL). |
| GSKit / SSL certificate error | RDS cert bundle missing or RSA cert not first | Re-download |
| Access denied on RDSADMIN call | IAM role missing | |
| Restore fails with "database in rollforward pending" | ONLINE restore left DB in rollforward state | Call |
| Standby replica creation fails | Missing prereqs | Verify: automated backups enabled, custom parameter group in DR region, KMS multi-region key, no pending |
AD domain join | RPC port range blocked, wrong secret format, or SPN attribute missing | Open RPC 49152–65535 between RDS and the DCs, confirm the secret username is the sAMAccountName with no |
| Import token older than 24 hours | Re-run |
| Throttling from RDS API | Exceeded API request rate | Exponential backoff with jitter; batch operations; check Service Quotas. |
| 错误 | 原因 | 修复方法 |
|---|---|---|
| Secrets Manager中的密码已轮换 | 运行 |
| DSN尚未缓存 | 运行 |
| 安全组阻止了50000/50443端口 | 检查安全组入站规则——添加客户端安全组的TCP 50000(明文)或50443(SSL)端口访问权限。 |
| GSKit / SSL证书错误 | RDS证书包缺失或RSA证书未排在首位 | 从RDS信任库重新下载 |
| 调用RDSADMIN时访问被拒绝 | IAM角色缺少 | 运行 |
| 恢复失败,提示“database in rollforward pending” | ONLINE恢复后数据库处于前滚待处理状态 | 为每个归档日志调用 |
| 备用副本创建失败 | 缺少前提条件 | 验证:已启用自动备份、灾难恢复区域有自定义参数组、存在多区域KMS密钥、无待处理的 |
AD域加入 | RPC端口范围被阻止、密钥格式错误或缺少SPN属性 | 在RDS与域控制器之间开放RPC 49152–65535端口,确认密钥中的用户名是不带 |
| 导入令牌已超过24小时 | 重新运行 |
| RDS API请求被限流 | 超出API请求速率限制 | 使用带抖动的指数退避;批量操作;检查服务配额。 |
Security Considerations
安全注意事项
Surface these controls when advising on any production RDS for Db2 deployment. They consolidate the security guidance that the sub-skill references cover in depth.
- Encryption at rest and in transit — Always create instances with ; for key ownership and compliance use a customer-managed KMS key (BYOK), and for DR use a multi-region key. Enforce TLS on every connection (port 50443,
--storage-encrypted); never connect in plaintext for production. See byok-kms.md and connectivity-tls.md. (Guideline 1)<region>-bundle.pem - Least-privilege IAM — Use the scoped policy and trust policy in minimum-iam.md; never attach a managed policy. Scope
*FullAccessand ARN-pattern every mutating statement that supports resource-level permissions. (Guideline 5)iam:PassRole - Network isolation — Keep instances in private subnets, restrict security groups to the application/source SG (never ), and use VPC endpoints for S3/SSM/Secrets Manager so traffic stays off the public internet. See colocation.md. (Guideline 5)
0.0.0.0/0 - Audit logging and monitoring — Enable Db2 audit to S3 (db2-audit.md), RDS Enhanced Monitoring, and CloudTrail for RDS/KMS/Secrets Manager API calls. Alarm on failed logins and configuration changes. (Guideline 12)
- Secret rotation — Provision with so RDS stores and rotates the master password in Secrets Manager; never embed plaintext passwords. After rotation, refresh clients with
--manage-master-user-password. (Guideline 13)db2_use <instance-id> - Backup encryption and retention — Set a backup retention period, encrypt automated and manual snapshots with your KMS key, and apply S3 bucket encryption plus lifecycle/retention to any Db2 audit or backup buckets. (Guideline 13)
在为生产环境的RDS for Db2部署提供建议时,需告知以下控制措施。这些措施整合了子技能参考文档中深入覆盖的安全指导。
- 静态与传输加密——创建实例时始终指定;为了密钥所有权与合规性,使用客户托管KMS密钥(BYOK),灾难恢复场景使用多区域密钥。强制所有连接使用TLS(端口50443,
--storage-encrypted);生产环境绝不使用明文连接。详见byok-kms.md和connectivity-tls.md。(准则1)<region>-bundle.pem - 最小权限IAM——使用minimum-iam.md中的限定策略和信任策略;绝不附加托管策略。限定
*FullAccess权限,并为所有支持资源级权限的变更语句指定ARN模式。(准则5)iam:PassRole - 网络隔离——将实例部署在私有子网中,限制安全组仅允许应用/源安全组访问(绝不允许),并使用S3/SSM/Secrets Manager的VPC端点,使流量不经过公网。详见colocation.md。(准则5)
0.0.0.0/0 - 审计日志与监控——启用Db2审计日志导出至S3(db2-audit.md)、RDS增强监控,以及RDS/KMS/Secrets Manager API调用的CloudTrail日志。对失败登录和配置变更设置告警。(准则12)
- 密钥轮换——创建实例时指定,使RDS将主密码存储在Secrets Manager并自动轮换;绝不嵌入明文密码。轮换后,通过
--manage-master-user-password刷新客户端凭证。(准则13)db2_use <instance-id> - 备份加密与保留——设置备份保留期,使用您的KMS密钥加密自动和手动快照,并对Db2审计或备份存储桶应用S3存储桶加密及生命周期/保留策略。(准则13)
Additional Resources
额外资源
In-scope documentation and blogs
范围内的文档与博客
- AWS docs — RDS for Db2: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDSDb2.html
- AWS docs — RDS for Db2 IAM permissions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
- AWS docs — Kerberos authentication for RDS for Db2: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-kerberos.html
- Blog — Connect to RDS for Db2 from CloudShell: https://aws.amazon.com/blogs/database/connect-to-amazon-rds-for-db2-using-aws-cloudshell/
- Blog — Restore self-managed Db2 Linux into RDS for Db2: https://aws.amazon.com/blogs/database/restore-self-managed-db2-linux-databases-in-amazon-rds-for-db2/
- Blog — Near-zero downtime from AIX/Windows to RDS for Db2 with Q Replication: https://aws.amazon.com/blogs/database/near-zero-downtime-migrations-from-self-managed-db2-on-aix-or-windows-to-amazon-rds-for-db2-using-ibm-q-replication/
- Blog — Cross-region standby replicas: https://aws.amazon.com/blogs/database/configure-amazon-rds-for-db2-standby-replicas-for-high-availability-and-faster-disaster-recovery/
- Blog — Mainframe DDL conversion (z/OS to RDS for Db2): https://aws.amazon.com/blogs/database/migrating-tables-from-ibm-db2-for-z-os-to-amazon-rds-for-db2/
- Blog — Code page and collation for mainframe migration: https://aws.amazon.com/blogs/database/choosing-the-right-code-page-and-collation-for-migration-from-mainframe-db2-to-amazon-rds-for-db2/
- Blog — Bring your own customer-managed KMS key for RDS for Db2 (DBBLOG-5188): https://aws.amazon.com/blogs/database/bring-your-own-key-to-amazon-rds-for-db2-with-a-customer-managed-kms-key/
- Blog — Self-managed Active Directory with Kerberos for RDS for Db2: https://aws.amazon.com/blogs/database/use-kerberos-authentication-with-a-self-managed-active-directory-for-amazon-rds-for-db2/
- AWS文档——RDS for Db2:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDSDb2.html
- AWS文档——RDS for Db2 IAM权限:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
- AWS文档——RDS for Db2的Kerberos认证:https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/db2-kerberos.html
- 博客——通过CloudShell连接到RDS for Db2:https://aws.amazon.com/blogs/database/connect-to-amazon-rds-for-db2-using-aws-cloudshell/
- 博客——将自托管Db2 Linux数据库恢复到RDS for Db2:https://aws.amazon.com/blogs/database/restore-self-managed-db2-linux-databases-in-amazon-rds-for-db2/
- 博客——通过Q Replication实现从AIX/Windows到RDS for Db2的近乎零停机迁移:https://aws.amazon.com/blogs/database/near-zero-downtime-migrations-from-self-managed-db2-on-aix-or-windows-to-amazon-rds-for-db2-using-ibm-q-replication/
- 博客——跨区域备用副本:https://aws.amazon.com/blogs/database/configure-amazon-rds-for-db2-standby-replicas-for-high-availability-and-faster-disaster-recovery/
- 博客——大型机DDL转换(z/OS到RDS for Db2):https://aws.amazon.com/blogs/database/migrating-tables-from-ibm-db2-for-z-os-to-amazon-rds-for-db2/
- 博客——大型机迁移的代码页与排序规则选择:https://aws.amazon.com/blogs/database/choosing-the-right-code-page-and-collation-for-migration-from-mainframe-db2-to-amazon-rds-for-db2/
- 博客——为RDS for Db2使用自有客户托管KMS密钥(DBBLOG-5188):https://aws.amazon.com/blogs/database/bring-your-own-key-to-amazon-rds-for-db2-with-a-customer-managed-kms-key/
- 博客——为RDS for Db2使用自托管Active Directory与Kerberos认证:https://aws.amazon.com/blogs/database/use-kerberos-authentication-with-a-self-managed-active-directory-for-amazon-rds-for-db2/
Related topics (cited resources, not yet routed sub-skills)
相关主题(引用资源,尚未路由的子技能)
These adjacent topics are not expanded into routed references in this iteration. Each is discoverable through the cited resource below.
- Reverse log shipping for RDS for Db2 (DBBLOG-5352): https://aws.amazon.com/blogs/database/implement-reverse-log-shipping-for-amazon-rds-for-db2/
- Multi-account connectivity: workspace source
04-db2-client/RDS-Db2-Multiple-Account-Connectivity/ - Terraform provisioning: workspace source
04-db2-client/RDS-Db2-Terraform/ - CIS compliance: workspace source
04-db2-client/CIS-Compliance/ - db2mon monitoring: workspace source
04-db2-client/db2mon_RDS/ - Compression savings: workspace source
04-db2-client/Compression-Savings/ - Migration prerequisite check (DBBLOG-5048): https://aws.amazon.com/blogs/database/migrate-from-ibm-db2-to-amazon-rds-for-db2-using-a-migration-prerequisite-check/
- Load from S3: workspace source
04-db2-client/load-from-s3/ - Sample Java stored procedures: workspace source
04-db2-client/sample-java-sp/
这些相邻主题在本次迭代中未扩展为路由参考文档。可通过以下引用资源找到相关内容。
- RDS for Db2的反向日志传送(DBBLOG-5352):https://aws.amazon.com/blogs/database/implement-reverse-log-shipping-for-amazon-rds-for-db2/
- 多账户连接:工作区源
04-db2-client/RDS-Db2-Multiple-Account-Connectivity/ - Terraform配置:工作区源
04-db2-client/RDS-Db2-Terraform/ - CIS合规:工作区源
04-db2-client/CIS-Compliance/ - db2mon监控:工作区源
04-db2-client/db2mon_RDS/ - 压缩优化:工作区源
04-db2-client/Compression-Savings/ - 迁移前提检查(DBBLOG-5048):https://aws.amazon.com/blogs/database/migrate-from-ibm-db2-to-amazon-rds-for-db2-using-a-migration-prerequisite-check/
- 从S3加载数据:工作区源
04-db2-client/load-from-s3/ - Java存储过程示例:工作区源
04-db2-client/sample-java-sp/
Blog catalog
博客目录
The authoritative list of published RDS for Db2 blogs and sample tools is maintained at https://github.com/aws-samples/sample-rds-db2-tools/tree/main — consult it for the current set of blog articles and companion code.
- Related skill (migrating off Db2 LUW to PostgreSQL): (if present in corpus).
rds-postgres-migration
已发布的RDS for Db2博客和示例工具的权威列表维护在https://github.com/aws-samples/sample-rds-db2-tools/tree/main ——如需最新的博客文章和配套代码,请查阅该目录。
- 相关技能(从Db2 LUW迁移至PostgreSQL):(如果语料库中存在)。
rds-postgres-migration
Handoff from aws-database-selection
从aws-database-selection移交
This skill can be invoked directly, or it can be entered from the parent skill after that skill has run a requirements interview and produced a artifact. When you see a backtick-wrapped path matching in recent conversation, follow the entry protocol in :
aws-database-selectionrequirements.jsonaws_dbs_requirements/*/requirements.jsonaws-database-selection/references/handoff-contract.md- Read the artifact using .
file_read - Validate it against . If malformed or unreadable, tell the user and proceed without it.
aws-database-selection/references/workload-primary-artifact.schema.json - Acknowledge what's relevant in one or two bold sentences, citing high-level facts from the artifact (dominant shapes, hard constraints, migration context) — do not parrot the entire artifact back.
- Scope-check: this skill is scoped to Amazon RDS for Db2 — migrations from Db2 z/OS or LUW, HADR, standby replicas, SQL PL routines, Q Replication cutovers. If the artifact's or
workload_primaries.dominant_shapesdon't match that scope, emit weak backpressure per the handoff contract: suggestmigration_contextfor refactor-to-PostgreSQL from Db2, or go back toamazon-auroraif Db2 isn't the source, then ask the user whether to go back or proceed anyway. Do not silently misuse the artifact.aws-database-selection - Proceed with this skill's native workflow, citing artifact paths as evidence when recommendations are grounded in the requirements.
The curated RDS-for-Db2 selection facts that the parent skill consumes live at (with a human-readable companion at ). These capture the in-scope source-migration scenarios, hard constraints, HA/DR options, and security areas in a structured, reusable form — read them when you need the curated selection view rather than re-deriving it.
aws-database-selectionassets/selection-knowledge-input.jsonassets/selection-knowledge-input.mdAll user-facing output from this skill follows the markdown-primitives-only formatting convention in the handoff contract: bold labels, backticks for paths and enum values, bullet lists for alternatives, no ASCII art or box-drawing characters.
本技能可直接调用,也可在父技能完成需求访谈并生成工件后进入。如果在近期对话中看到反引号包裹的路径匹配,请遵循中的进入协议:
aws-database-selectionrequirements.jsonaws_dbs_requirements/*/requirements.jsonaws-database-selection/references/handoff-contract.md- 使用读取该工件。
file_read - 根据验证工件。如果格式错误或无法读取,告知用户并继续执行,不使用该工件。
aws-database-selection/references/workload-primary-artifact.schema.json - 用一到两句加粗语句确认相关内容,引用工件中的高级事实(主要场景、硬约束、迁移上下文)——不得复述整个工件。
- 范围检查:本技能的范围为Amazon RDS for Db2——包括从Db2 z/OS或LUW迁移、HADR、备用副本、SQL PL例程、Q Replication切换。如果工件的或
workload_primaries.dominant_shapes与该范围不匹配,请根据移交协议发出弱拒绝:建议对于从Db2重构至PostgreSQL的场景使用migration_context技能,或如果Db2不是源数据库,返回amazon-aurora技能,然后询问用户是返回还是继续执行。不得擅自误用该工件。aws-database-selection - 继续执行本技能的原生工作流,当建议基于需求时,引用工件路径作为依据。
父技能使用的RDS-for-Db2精选事实存储在(配套的可读版本为)。这些内容以结构化、可复用的形式涵盖了范围内的源迁移场景、硬约束、HA/DR选项和安全领域——当需要精选的选型视图时,请阅读这些内容,而非自行推导。
aws-database-selectionassets/selection-knowledge-input.jsonassets/selection-knowledge-input.md本技能的所有用户输出均遵循移交协议中的仅Markdown原语格式约定:使用加粗标签、反引号标注路径和枚举值、项目符号列表展示替代方案,不得使用ASCII艺术或框线字符。