IBM Support

LUWID in the messages. How do I trace the TCP/IP address and port to understand the location/user it is coming from

Question & Answer


Question

How do I trace the TCP/IP address and port from LUWID in message?

Answer

There is a simple way to determine the IP address that sent the request. DB2 Connectâ„¢ generates the TCP/IP LUWID based on the client's IP address. By decoding the display of LUWID in messages, you can determine the IP address of the user who triggered the message and catch unauthorized use of an ID.

As an example, here is some output from the DSNL030I message:

**********************************************************


DSNL030I-DB2B DSNLTSEC DDF PROCESSING FAILURE FOR
LUWID=J56F045C.G422.B6D833AB804D
AUTHID=qhmcdjk, REASON=00D31050
**********************************************************

TCP/IP LUWIDs are based on the client's IP address, port number, and a unique sequence number. In the example, the LUWID = J56F045C.G422.B6D833AB804D.

J56F045C represents the TCP/IP address. G422 is the port number. And B6D833AB804D is the unique sequence number. How are there numbers decoded?

  • J56F045C represents the TCP/IP address in hexadecimal. To provide coexistence with SNA, where SNA LUWIDs must begin with a letter ('A' through 'Z'), the first TCP/IP hexadecimal digit is converted to a character that ranges from 'G' through 'P' where:
    G=0, H=1, I=2, J=3, K=4, L=5, M=6, N=7, O=8, P=9.

    Therefore, J56F045C is equivalent to 356F045C (or 35.6F.04.5C). Converting from hexadecimal to decimal, 35.6F.04.5C is equal to 53.111.4.92.

  • G422 represents the port number. Following the numbering conventions of the previous field (where G=0), G422 is generated from port number 1058.

So, in this example, the unauthorized user is initiating the request from IP address 53.111.4.92 using port number 1058.



Note that. if the client is setting the information via set CURRENT CLIENT_CORR_TOKEN special register,THREAD-INFO in various messages (such as DSNV401I) includes a correlation token that can be used to correlate work at the remote system with work performed at the DB2 subsystem. This may provide further information on the end user if TCP/IP decoded is not the end user but it is a gateway instead.

[{"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Distributed","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"10.0;11.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSEPDU","label":"Db2 Connect"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21055269