IBM Support

AD2U with SQLCODE -922 and SQLERRC 00F30034 when using CA ACF2

Troubleshooting


Problem

You receive an abend AD2U ( abendAD2U ) in module DFHD2EX1 when trying to access a DB2 plan from a CICS transaction. DB2 returns SQLCODE -922 and SQLERRC 00F30034. You are running with CA ACF2 from CA. It is active in log mode so you do not expect CA ACF2 to deny access to DB2.

Cause

CA ACF2 is returning the security violation because transaction security is being used instead of user security. When transaction security is used there is no userid associated with the task. CA ACF2 is looking for a userid to check for a valid logon id but there was no logon id found.

Diagnosing The Problem

Following is a CEDF screen that contains the DB2 error:
STATUS:  COMMAND EXECUTION COMPLETE
    CALL TO RESOURCE MANAGER DSNCSQL
    EXEC SQL SET HOST VAR         P.AUTH=RXMU    , S.AUTH=
       PLAN=DPO2701L, DBRM=DPO2701L, STMT=00368, SECT=00001
       SQL COMMUNICATION AREA:
         SQLCABC   = 136                    AT X'001887E0'
         SQLCODE   = -922                   AT X'001887E4'
         SQLERRML  = 020                    AT X'001887E8'
         SQLERRMC  = 'PLAN ACCESS,00F30034' AT X'001887EA’

CICS trace contains the same error information. The plan name (DP02701L) is in the LOT+54, the primary authorization (RMXU) is in the LOT+80, and the SQLERRMC (00F30034) is in the FRB+10.

A reason code of 00F30034 means the program attempting to execute the plan is not authorized to use the plan. This typically is fixed by GRANTing authority to the authid.

It was surprising that CA ACF2 denied access to DB2 because it was active in LOG mode as follows:

This should mean that access violations are logged but access is not denied.

Resolving The Problem

Do one or both of the following:

  • Inactivate CA ACF2 for the DB2 subsystem and cycle DB2 by entering the following commands:
    SET CONTROL(DB2) SYSID(xxxx) - where xxxx is the DB subsystem
    CHANGE OPTS NOACTIVE
  • Apply CA ACF2 release 1.1 fixes TB0064C, TB0064B, and TB0065B. These fixes stop CA ACF2 from doing CICS security checking. This accomplishes the same thing as inactivating CA ACF2.

CA ACF2 security should be inactive for CICS. Security checking should be done within CICS and DB2. Contact CA if you need further assistance.

When you inactivate ACF2 for the DB2 subsystem the following messages are written to the DB2 log (DSNBMSTR):

When you activate ACF2 for the DB2 subsystem the following messages are written to the DB2 log ( DSNBMSTR ) after message DSNR002I -xxxx RESTART COMPLETED:

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"DB2","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.3;2.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
15 June 2018

UID

swg21161021

Page Feedback