A fix is available
APAR status
Closed as program error.
Error description
DB2DDF Defects pm98336 dpm98336 CONNECTION FAILED FOR SECURITY REASON 2 (PASSWORD INVALID. SQLCODE=-30082, SQLSTATE=08001) is returned when DB2 z/os has SYSIBM.LOCATIONS column TRUSTED=Y is set and there is no matching row in SYSIBM.USERNAMES with TYPE = 'S', only a row for TYPE = 'O' exists for the linkname. Additionally, the this message may be seen on DB2 z/os DSNL030I DSNLTSEC.30 REASON=00F30085 *************************************************************** Additional Symptoms and Keywords: SQLCODE30082 RC30082 SQLCODE -30082 SRN30082 DSNL030I MSGDSNL030I 00F30085 RC00F30085 issued at remote DB2 z/OS server.
Local fix
Local workaround is to add a row with TYPE 'S' for the trusted context connection linkname where the row TYPE ='O' exists in SYSIBM.USERNAMES
Problem summary
**************************************************************** * USERS AFFECTED: All Distributed Data Facility (DDF) users. * * Especially those that utilize trusted * * TCP/IP communications to access remote * * locations from a DB2 for z/OS requester. * **************************************************************** * PROBLEM DESCRIPTION: After applying APAR PM73557, * * applications receive SQLCODE -30082 * * due to security reason 2 (INVALID * * PASSWORD) or security reason 15 * * (SECURITY FAILURE:0A:0000000C) when * * attempting to establish a trusted * * connection to a remote location. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a DB2 for z/OS requester attempts to establish a trusted connection to a remote location, DDF will always first search the Communications DataBase (CDB) for a system AUTHID row (TYPE='S') in SYSIBM.USERNAMES table to be used for the remote location's connection. Prior to APAR PM73557, whether or not the row exists, if any error prevented the row from being fetched, DDF would disable any further attempt to search for the system AUTHID row until DDF was restarted. For users who did not have a system AUTHID row in SYSIBM.USERNAMES but instead had an outbound translation row ('TYPE=O'), DDF would then successfully fetch that row and use the information from it to establish the connection to the remote location. When APAR PM73557 is applied, DDF would no longer disable the searching for a system AUTHID row in SYSIBM.USERNAMES. However, DDF would then no longer attempt to search for an outbound translation row resulting in customer applications failing to connect to the remote location with SQLCODE -30082. If the remote location was another DB2 for z/OS subsystem, and the active subsystem parameter's module (ZPARM) had the EXTERNAL SECURITY (EXTSEC DSN6SYSP) parameter set to YES, the returned security failure reason code would be 2 (INVALID PASSWORD). If the EXTERNAL SECURITY parameter was only set to NO, then the returned security failure reason code would be 15 (SECURITY FAILURE:0A:0000000C). Also, if the remote location was a DB2 for z/OS subsystem, then a DSNL030I message may be displayed with tokens DSNLTSEC.30 and REASON=00F30085.
Problem conclusion
DB2 has been changed to always attempt to search for an outbound translation row in the CDB if a system AUTHID row cannot be found for a connection to a trusted remote location. Users are advised that the recommended CDB configuration to be used to establish a connection to a trusted remote location is the existence of a system AUTHID row for the location in the SYSIBM.USERNAMES table of the CDB.
Temporary fix
Comments
APAR Information
APAR number
PM98336
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
A10
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-10-02
Closed date
2013-12-12
Last modified date
2014-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI13507 UI13508 UI13509
Modules/Macros
DSNLCITR
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RA10 PSY UI13507
UP13/12/28 P F312 {
RB10 PSY UI13508
UP13/12/28 P F312 {
R910 PSY UI13509
UP13/12/28 P F312 {
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 January 2014