IBM Support

PM43292: ALLOW RACF PROTECTED USERIDS TO BE PASSTICKET AUTHENTICATED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DB2DDF DB2TCPIP defect pm43292 dpm43292
    Allow RACF protected userIDs to be PassTicket authenticated.
    **************************************
    Additional symptoms and keywords:
     MSGDSNL030I DSNL030I DSNLTSEC.30 00F30085 RC00F30085
      MSGICH408I ICH408I
      MSGIRR013I IRR013I
     RACF PassTickets
     RACF Protected userid
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All DB2 for z/OS Distributed Data Facility   *
    *                 (DDF) users.  Especially those who are       *
    *                 using RACF PassTickets to remotely access    *
    *                 a DB2 for z/OS server via TCP/IP.            *
    ****************************************************************
    * PROBLEM DESCRIPTION: Message DSNL030I is displayed with      *
    *                      csect-name token DSNLTSEC.30 and        *
    *                      REASON=00F30085.  Also, the userid      *
    *                      displayed in the message is known to    *
    *                      be a RACF protected userid.             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Currently, a DB2 for z/OS subsystem which receives connect
    requests from other DB2 for z/OS subsystems via TCP/IP must
    pass the userid credentials to SAF for authentication.
    Usually, for TCP/IP communications, the userid is presented
    with a password for authentication.  Unlike SNA communications,
    specific TCP/IP requesting locations cannot be configured to
    be trusted to provide already-verified userids.  TCP/IP
    communications must therefore be setup at a requesting DB2
    for z/OS to send both a userid and a password in the connect
    request to a remote DB2 location.  To minimize the storing of
    userids and passwords in the requesting DB2 for z/OS
    Communications Data Base (CDB), many users configure the
    requesting DB2 for z/OS to use RACF PassTickets when connecting
    to other remote DB2 for z/OS locations.  Since the serving DB2
    does not have any indication that the password could be a RACF
    PassTicket, the serving DB2 passes the userid and password to
    SAF for authentication.  For most userids, SAF (RACF) will
    check to see if the password is a valid RACF PassTicket, and
    if it is, will then authenticate the userid for access to the
    serving DB2 for z/OS.  However, if the userid is a RACF
    protected userid, RACF will reject this authentication request
    by flagging the password as invalid.  Both ICH408I and IRR013I
    messages will be issued indicating that an invalid password was
    presented for authentication.
    

Problem conclusion

  • DB2 has been changed to support receiving RACF PassTickets
    with RACF protected userids over TCP/IP communications from
    requesting DB2 for z/OS subsystems.
    However, when receiving RACF PassTickets as passwords with
    RACF protected userids over TCP/IP communications from a DB2
    for z/OS requester, the following RACF actions must be taken
    as follows:
    - A RACF PTKTDATA resource profile must be created at the
      server system or sysplex using the following naming rules:
    
      RDEFINE PTKTDATA IRRPTAUTH.applname.userid or
      RDEFINE PTKTDATA IRRPTAUTH.applname.*
    
      Where applname is either the generic LU name or IPNAME
      assigned to each member of a serving data sharing group
      or is the LUNAME or IPNAME assigned to the serving
      non-data sharing subsystem.
    
      Where userid is either an asterisk ("*") or a RACF protected
      userid that one wants to allow into the serving subsystem or
      member of a data sharing group.
    - Once the RACF profile has been defined, the PTKTDATA resource
      must be refreshed as follows:
    
      SETROPTS RACLIST(PTKTDATA) REFRESH
    - Once the PTKTDATA resource profiles have been refreshed and
      loaded, the userid assigned in the STDATA of the STARTED
      profile of the ssidDIST address space must be permitted to
      read this new profile as follows:
    
      PERMIT IRRPTAUTH.applanme.userid CLASS(PTKTDATA) -
        ID(dist_userid) ACCESS(READ) or
      PERMIT IRRPTAUTH.applname.* CLASS(PTKTDATA) -
        ID(dist_userid) ACCESS(READ)
    
      Where userid and dist_userid are not the same.
    The above actions do not need to be taken if one does not use
    RACF protected userids in connect requests from a requesting
    DB2 for z/OS to a serving DB2 for z/OS.
    The RACF resource profile can be created prior to installing
    the PTF of this APAR.  However, until all members of a data
    sharing group have been started with the PTF applied, some
    members may still reject the connection attempt as receiving
    an invalid password when a RACF protected userid is used in
    the connection attempt.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM43292

  • Reported component name

    DB2 OS/390 & Z/

  • Reported component ID

    5740XYR00

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-07-07

  • Closed date

    2011-09-24

  • Last modified date

    2011-11-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK72212 UK72213

Modules/Macros

  • DSNDAUFR DSNDAUTH DSNLTEXC DSNLTSEC DSN3AUCM
    DSN3AUCN DSN3AUFR DSN3AUSI DSN3AUTH
    

Publications Referenced
SC18984010SC19296804   

Fix information

  • Fixed component name

    DB2 OS/390 & Z/

  • Fixed component ID

    5740XYR00

Applicable component levels

  • RA10 PSY UK72212

       UP11/10/11 P F110

  • R910 PSY UK72213

       UP11/10/11 P F110

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 November 2011