A fix is available
APAR status
Closed as new function.
Error description
sysplex workload balancing (WLB) client connections to Db2 can be redirected to any member of a db2 data sharing group. the multi-factor (MFA) or passticket (PTKT) authentication information giving on the initial connection to a member cannot be used on the redirect attempt to another member of the Db2 data sharing group.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All Db2 12 Distributed Data Facility (DDF) * * users. Specifically those who must now use * * multi-factor or passticket authentication * * from client workstation applications which * * access Db2 via the IBM Data Server Driver, * * for Java or non-Java, configured for * * sysplex workload balancing or seamless * * failover. * **************************************************************** * PROBLEM DESCRIPTION: * * New function is being provided to * * handle successful multi-factor or * * passticket authentications with * * distributed client connections as * * being authenticated with all * * members of the data sharing group. * **************************************************************** * RECOMMENDATION: * * Apply corrective PTF when available * **************************************************************** A Db2 data sharing group is a collection of one or more Db2 subsystems that access shared Db2 data. Each Db2 subsystem communicates and cooperates with each other acting as single server. This environment supports both Db2 client fail-over and workload balancing functions where an authenticated user can access any of the Db2 subsystems in a data sharing group. Both client failover or workload balancing is transparent to the application. The application is unaware that the connection is automatically moved to different members of the group. The Db2 client driver creates multiple transports to different members on behalf of the authenticated user. The original authentication tokens are replayed by the Db2 client driver in order to establish additional transports on behalf of the application. Today, when deploying either multi-factor or passticket authentication, the authentication tokens cannot be replayed causing random connection failures when the Db2 driver attempts to establish another transport on behalf of the application.
Problem conclusion
Temporary fix
Comments
Db2 12 is being changed to provide a capability named sysplex group authentication. With this capability enabled across the members of a data sharing group, client applications which use either multi-factor or passticket authentication, when connecting to Db2 via a sysplex workload balancing or seamless failover enabled IBM Data Server Driver for Java or non-Java, will be considered successfully connected to the data sharing group. As such, when the driver spawns new connections to members of the group for a particular client application connection, the replay of the authentication credentials will be successful. However, once a set of multi-factor or passticket credentials has been authenticated with a Db2 data sharing group, the driver must attempt periodic re-authentication of those credentials with any member of the group at least once every two hours so that the credentials will not be purged from the data sharing group. Also, if any of the following RACF commands: - ALTUSER REVOKE - DELUSER are performed against the user ID of the connection, the authentication credentials for that user ID will be purged from the data sharing group. To use sysplex group authentication within a Db2 data sharing group, the following must be configured and enabled: - the ICSF load library, SCSFMOD0, must be in the LINKLIST of the LPAR where Db2 is running. If not properly configured, Db2 will issue message, DSNX211I, during startup. - Db2 must be running with a Db2 subsystem parameters (ZPARM) module where AUTHEXIT_CACHEREFRESH (DSN6SPRM) is set to ALL. If not properly configured, Db2 will issue the new message DSN3582I with token NOT AVAILABLE during startup. - if clients are to use passtickets for passwords, then, two PTKTDATA profiles are required. One profile defines the basic passticket as follows: RDEFINE PTKTDATA <applName> SSIGNON(KEYMASKED(<key>)) - APPLDATA('NO REPLAY PROTECTION') <applName> is the value of GENERICLU or IPNAME defined for each member of the data sharing group <key> is a session key with the value of 16 hexadecimal digits. The profile must be identically defined and available on each system in the sysplex where a member of the data sharing group is started. Note: all members of a data sharing group must be defined with the same GENERICLU or IPNAME. One other profile, at a minimum, is required as follows: RDEFINE PTKTDATA IRRPTAUTH.<applName>.* or RDEFINE PTKTDATA IRRPTAUTH.<applName>.<userid> <applName> is the value of GENERICLU or IPNAME defined for each member of the data sharing group <userid> is a particular user ID that is being used from a distributed client with a passticket as the password. and the user ID associated with the STARTED profile of the ssidDIST address space of each member of the data sharing group must have been given READ access to the profile. An example of the RACF commands to permit user ID, SYSDSP, read access to such a profile is: PERMIT IRRPTAUTH.<applName>.* CLASS(PTKTDATA) - ID(SYSDSP) ACCESS(READ) or PERMIT IRRPTAUTH.<applName>.<userid> CLASS(PTKTDATA) - ID(SYSDSP) ACCESS(READ) Message DSN3582I has been introduced as follows: DSN3582I csect-name SYSPLEX GROUP AUTHENTICATION IS status Explanation This message provides the following information about the ability of a Db2 data sharing group member to participate in the sysplex group authentication service: csect-name The CSECT name of the Db2 module that issued the message. status The status of the sysplex group authentication service: NOT AVAILABLE During Db2 startup, the initialization of the global authentication cache with this Db2 member of a data sharing group detected that the AUTHEXIT_CACHEREFRESH (DSN6SPRM) subsystem parameter was not set to ALL or that the ICSF load modules could not be loaded. These conditions prevent this member from participating in sysplex group authentication processing. LIMITED This member of a Db2 data sharing group has detected that at least one other member of the data sharing group is not able to participate in sysplex group authentication processing due to one or more of the following reasons: - The other member is not at a similar maintenance level, which provides the sysplex group authentication support. - The AUTHEXIT_CACHEREFRESH (DSN6SPRM) subsystem parameter on another member is not set to ALL. - The ICSF load modules could not be loaded. NOT LIMITED This member of a Db2 data sharing group has detected that all members of the data sharing group can now participate in the sysplex group authentication processing. NOT AVAILABLE FOR PASSTICKETS This member of a Db2 data sharing group has detected that it does not have the authority to evaluate a password for the presence of a passticket. AVAILABLE FOR PASSTICKETS This member of a Db2 data sharing group has detected that it has the authority to evaluate a password for the presence of a passticket. System action Processing continues. System programmer response Take the following action based on the status: For any member that has the status of NOT AVAILABLE: - Generate a Db2 subsystem parameters module (ZPARM) with the AUTHEXIT_CACHEREFRESH (DSN6SPRM) subsystem parameter set to ALL. - If message DSNX211I is also issued for this member, the ICSF routines were not available for Db2 to load. Add the ICSF SCSFMOD0 load module library to the LINKLIST of the z/OS system. On an already IPLed system, the LINKLIST can be updated via the z/OS SETPROG LNKLST command. After these problems have been corrected, stop and restart the Db2 member with the new or updated subsystem parameters module. For any member that has the status of LIMITED: One or all of the other started members of the group are either displaying a status of NOT AVAILABLE or are not at a maintenance level which provides the sysplex group authentication support. Ensure that the other members are at a similar maintenance level which provides the sysplex group authentication support and all corrective actions have been performed against any member which had a status of NOT AVAILABLE. Once the corrective actions have been performed, stop and restart the other members. When all members meet the requirements for sysplex group authentication, DSN3582I will be reissued with the status of NOT LIMITED. For any member that has the status of NOT AVAILABLE FOR PASSTICKETS, Db2 has detected that the user ID associated with the STARTED profile of the ssidDIST address space must be granted READ permission to a PTKTDATA profile of the following: IRRPTAUTH.<applName>.* or IRRPTAUTH.<applName>.<userid> where <applName> is either the GENERICLU or the IPNAME defined to each member of the data sharing group and <userid> is an asterisk ("*") or a client user ID that you want to allow in to the serving subsystem and be authenticated with a passticket as a password. After the user ID that is associated with the STARTED profile of the ssidDIST address space is granted READ permission to the appropriate PTKTDATA profile, and after Db2 successfully evaluates a passticket, DSN3582I will be reissued with the status of AVAILABLE FOR PASSTICKETS. User response None. Note: The support provided by this APAR has been evaluated with RACF and IBM Multi-Factor Authentication for z/OS when the distributed clients have used multi-factor authentication tokens. ×**** PE20/01/27 FIX IN ERROR. SEE APAR PH21433 FOR DESCRIPTION
APAR Information
APAR number
PI94236
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
C10
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-02-23
Closed date
2019-06-25
Last modified date
2020-03-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI63855
Modules/Macros
DSN3ID30 DSN3AUWL DSNXAENF DSNXACAE DSNXATUM DSNLSSST DSNLTACC DSNVFACE DSNXIATR DSNLQCRP DSNLAGNT DSNLAGNX DSNTLBAC DSN3EOM0 DSNLDALB DSNVEUS2 DSNVEUS1 DSNTDSTP DSN3RRRS DSN3TM00 DSN9SCN7 DSNVEUS4 DSNLQCTL DSN3TC30 DSNTLPLK DSN3SW30 DSNLTSEC DSN3AUSI DSN3AMGP DSN3AUCX DSNXIVRO DSN3AUCN DSN3AUCM DSN3RIS0 DSNWACDF DSNF3DIR DSNFCDIR DSN3SIES DSN3AUGC DSN3RIB2 DSNTAAL DSN3AUGI DSN9SCNP DSN3RRSR DSN3RIND DSN3SI30 DSNUGDSP DSNXECNT DSN3ID80 DSNXATIM DSNTADL DSNXIVNO DSN3IDES DSNLTEXC DSN3SI80 DSNLJTIN DSNXAAB
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RC10 PSY UI63855
UP19/07/11 P F907
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
17 March 2020