Troubleshooting
Problem
You receive an abend AD2U ( abendAD2U ) in module DFHD2EX1 when trying to access a DB2 plan from a CICS transaction. DB2 returns SQLCODE -922 and SQLERRC 00F30034. You are running with CA ACF2 from CA. It is active in log mode so you do not expect CA ACF2 to deny access to DB2.
Cause
CA ACF2 is returning the security violation because transaction security is being used instead of user security. When transaction security is used there is no userid associated with the task. CA ACF2 is looking for a userid to check for a valid logon id but there was no logon id found.
Diagnosing The Problem
Following is a CEDF screen that contains the DB2 error:
STATUS: COMMAND EXECUTION COMPLETE
CALL TO RESOURCE MANAGER DSNCSQL
EXEC SQL SET HOST VAR P.AUTH=RXMU , S.AUTH=
PLAN=DPO2701L, DBRM=DPO2701L, STMT=00368, SECT=00001
SQL COMMUNICATION AREA:
SQLCABC = 136 AT X'001887E0'
SQLCODE = -922 AT X'001887E4'
SQLERRML = 020 AT X'001887E8'
SQLERRMC = 'PLAN ACCESS,00F30034' AT X'001887EA’
CICS trace contains the same error information. The plan name (DP02701L) is in the LOT+54, the primary authorization (RMXU) is in the LOT+80, and the SQLERRMC (00F30034) is in the FRB+10.
A reason code of 00F30034 means the program attempting to execute the plan is not authorized to use the plan. This typically is fixed by GRANTing authority to the authid.
It was surprising that CA ACF2 denied access to DB2 because it was active in LOG mode as follows:
This should mean that access violations are logged but access is not denied.
Resolving The Problem
Do one or both of the following:
- Inactivate CA ACF2 for the DB2 subsystem and cycle DB2 by entering the following commands:
SET CONTROL(DB2) SYSID(xxxx) - where xxxx is the DB subsystem
CHANGE OPTS NOACTIVE
- Apply CA ACF2 release 1.1 fixes TB0064C, TB0064B, and TB0065B. These fixes stop CA ACF2 from doing CICS security checking. This accomplishes the same thing as inactivating CA ACF2.
CA ACF2 security should be inactive for CICS. Security checking should be done within CICS and DB2. Contact CA if you need further assistance.
When you inactivate ACF2 for the DB2 subsystem the following messages are written to the DB2 log (DSNBMSTR):
When you activate ACF2 for the DB2 subsystem the following messages are written to the DB2 log ( DSNBMSTR ) after message DSNR002I -xxxx RESTART COMPLETED:
Product Synonym
CICS/TS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21161021