PH04163: AFTER SPECIFY THE IPNAME IN THE BSDS, THE DISPLAY DATABASE COMMAND FAILED WITH SOME RACF ERRORS.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• DB2DDF
  Customer just changed from SNA to TCP/IP and updated the BSDS
  recently.  They removed the LUNAME parameter from BSDS.  After
  that, when running REORG utlity and DRAIN failed, the following
  "DISPLAY DATABASE" command will fail with some RACF errors:
  .
  ICH408I USER(userid  ) GROUP(group   ) NAME(name     )
  LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION H52C
  
  Application "H52C" correspond to "152C" in hexadecimal which is
  5420 in decimal: the resport port.
  .
  LOCATION=LOCLOCLO IPNAME=DB2DB2D PORT=5210 SPORT=NULL RPORT=5420
  ALIAS=(NULL)
  IPV4=NULL IPV6=NULL
  GRPIPV4=NULL GRPIPV6=NULL
  LUNAME=(NULL) PASSWORD=(NULL) GENERICLU=(NULL)
  .
  ***************************************************************
  Additional Symptoms and Keywords:
   ICH408I   MSGICH408I   NOT AUTHORIZED TO APPLICATION
   DSNU1122I MSGDSNU1122I
   IPNAME LCOMIPNM SCOMLUNM
  

Local fix

• Workaround:
  Add RACF APPL def for hex resync port.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All Db2 users. Predominantly all             *
  *                 Distributed Data Facility (DDF)              *
  *                 users.                                       *
  *                 Specifically those where Db2 is              *
  *                 defined with an IPNAME value.                *
  ****************************************************************
  * PROBLEM DESCRIPTION: Authorization related errors,           *
  *                      including RACF ICH408I .. "NOT          *
  *                      AUTHORIZED TO APPLICATION applname"     *
  *                      console messages, may occur if Db2      *
  *                      is defined with an IPNAME value.        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The user has defined Db2 with an IPNAME value via the DDF
  statement of the DSNJU003 (Change Log Inventory) utility.  The
  definition of the IPNAME value can be observed via the
  DSNJU004 (Print Log Map) utility or via the DSNL084I message of
  the -DISPLAY DDF command report.  The user has also defined
  RACF permission/authorization rules based on this IPNAME value
  as the RACF APPL Class.
  In this environmental condition, local applications may suffer
  authorization failures.  The user specifically reported message
  DSNU1122I relative to the Db2 REORG utility.  The failures will
  be accompanied by RACF message ICH408I .. "NOT AUTHORIZED TO
  APPLICATION applname" being issued to the z/OS console, where
  "applname" essentially reflects the character representation of
  the hexadecimal equivalent of the Db2 subsystem Resync Port
  value (as observed via the DSNL084I message of the -DISPLAY DDF
  command report - RESPORT).
   Example: ICH408I .. NOT AUTHORIZED TO APPLICATION H389
    In this case, the applname value is derived from the 5001
    resync port value (DSNL084I RESPORT).  The hexadecimal
    equivalent of 5001 is 1389x and the character 'H' is
    substituted for the (first) character '1'.
    Substitution occurs if the first character is '0' (zero)
    though '9' (nine), in which case the characters 'G' through
    'P' are substituted.
  The problem occurs because Db2 establishes an incorrect default
  APPLNAME value to be passed to RACF (when verifying a user's
  authority) if Db2 is defined with an IPNAME value.  The
  incorrect default APPLNAME value is utilized only for local
  related applications.  Distributed work, relative to remote
  applications that access Db2 as a server, are not affected.
  This APPL application name is used for RACF authorization of -
  Db2 DISPLAY DATABASE command
  Db2 Utility Reorg DISPLAY CLAIMERS command.
  The application name should be defined to the security server
  and userids that require these commands should be permitted by
  the security server.
  ICH408I USER(authid) NOT AUTHORIZED TO APPLICATION applname
  

Problem conclusion

• Db2 has been changed to establish a correct default APPLNAME
  value to be passed to RACF when an IPNAME value is defined.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI60189 UI60193

Modules/Macros

•    DSN3AUCN
  

Fix information

• Fixed component name

  DB2 OS/390 & Z/

• Fixed component ID

  5740XYR00

Applicable component levels

• RB10 PSY UI60193

     UP18/12/27 P F812

• RC10 PSY UI60189

     UP18/12/25 P F812

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.