A fix is available
APAR status
Closed as program error.
Error description
DB2DDF DB2TCPIP defect pm43292 dpm43292 Allow RACF protected userIDs to be PassTicket authenticated. ************************************** Additional symptoms and keywords: MSGDSNL030I DSNL030I DSNLTSEC.30 00F30085 RC00F30085 MSGICH408I ICH408I MSGIRR013I IRR013I RACF PassTickets RACF Protected userid
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All DB2 for z/OS Distributed Data Facility * * (DDF) users. Especially those who are * * using RACF PassTickets to remotely access * * a DB2 for z/OS server via TCP/IP. * **************************************************************** * PROBLEM DESCRIPTION: Message DSNL030I is displayed with * * csect-name token DSNLTSEC.30 and * * REASON=00F30085. Also, the userid * * displayed in the message is known to * * be a RACF protected userid. * **************************************************************** * RECOMMENDATION: * **************************************************************** Currently, a DB2 for z/OS subsystem which receives connect requests from other DB2 for z/OS subsystems via TCP/IP must pass the userid credentials to SAF for authentication. Usually, for TCP/IP communications, the userid is presented with a password for authentication. Unlike SNA communications, specific TCP/IP requesting locations cannot be configured to be trusted to provide already-verified userids. TCP/IP communications must therefore be setup at a requesting DB2 for z/OS to send both a userid and a password in the connect request to a remote DB2 location. To minimize the storing of userids and passwords in the requesting DB2 for z/OS Communications Data Base (CDB), many users configure the requesting DB2 for z/OS to use RACF PassTickets when connecting to other remote DB2 for z/OS locations. Since the serving DB2 does not have any indication that the password could be a RACF PassTicket, the serving DB2 passes the userid and password to SAF for authentication. For most userids, SAF (RACF) will check to see if the password is a valid RACF PassTicket, and if it is, will then authenticate the userid for access to the serving DB2 for z/OS. However, if the userid is a RACF protected userid, RACF will reject this authentication request by flagging the password as invalid. Both ICH408I and IRR013I messages will be issued indicating that an invalid password was presented for authentication.
Problem conclusion
DB2 has been changed to support receiving RACF PassTickets with RACF protected userids over TCP/IP communications from requesting DB2 for z/OS subsystems. However, when receiving RACF PassTickets as passwords with RACF protected userids over TCP/IP communications from a DB2 for z/OS requester, the following RACF actions must be taken as follows: - A RACF PTKTDATA resource profile must be created at the server system or sysplex using the following naming rules: RDEFINE PTKTDATA IRRPTAUTH.applname.userid or RDEFINE PTKTDATA IRRPTAUTH.applname.* Where applname is either the generic LU name or IPNAME assigned to each member of a serving data sharing group or is the LUNAME or IPNAME assigned to the serving non-data sharing subsystem. Where userid is either an asterisk ("*") or a RACF protected userid that one wants to allow into the serving subsystem or member of a data sharing group. - Once the RACF profile has been defined, the PTKTDATA resource must be refreshed as follows: SETROPTS RACLIST(PTKTDATA) REFRESH - Once the PTKTDATA resource profiles have been refreshed and loaded, the userid assigned in the STDATA of the STARTED profile of the ssidDIST address space must be permitted to read this new profile as follows: PERMIT IRRPTAUTH.applanme.userid CLASS(PTKTDATA) - ID(dist_userid) ACCESS(READ) or PERMIT IRRPTAUTH.applname.* CLASS(PTKTDATA) - ID(dist_userid) ACCESS(READ) Where userid and dist_userid are not the same. The above actions do not need to be taken if one does not use RACF protected userids in connect requests from a requesting DB2 for z/OS to a serving DB2 for z/OS. The RACF resource profile can be created prior to installing the PTF of this APAR. However, until all members of a data sharing group have been started with the PTF applied, some members may still reject the connection attempt as receiving an invalid password when a RACF protected userid is used in the connection attempt.
Temporary fix
Comments
APAR Information
APAR number
PM43292
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-07-07
Closed date
2011-09-24
Last modified date
2011-11-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK72212 UK72213
Modules/Macros
DSNDAUFR DSNDAUTH DSNLTEXC DSNLTSEC DSN3AUCM DSN3AUCN DSN3AUFR DSN3AUSI DSN3AUTH
SC18984010 | SC19296804 |
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 November 2011