A fix is available
APAR status
Closed as program error.
Error description
DB2DDF Customer just changed from SNA to TCP/IP and updated the BSDS recently. They removed the LUNAME parameter from BSDS. After that, when running REORG utlity and DRAIN failed, the following "DISPLAY DATABASE" command will fail with some RACF errors: . ICH408I USER(userid ) GROUP(group ) NAME(name ) LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION H52C Application "H52C" correspond to "152C" in hexadecimal which is 5420 in decimal: the resport port. . LOCATION=LOCLOCLO IPNAME=DB2DB2D PORT=5210 SPORT=NULL RPORT=5420 ALIAS=(NULL) IPV4=NULL IPV6=NULL GRPIPV4=NULL GRPIPV6=NULL LUNAME=(NULL) PASSWORD=(NULL) GENERICLU=(NULL) . *************************************************************** Additional Symptoms and Keywords: ICH408I MSGICH408I NOT AUTHORIZED TO APPLICATION DSNU1122I MSGDSNU1122I IPNAME LCOMIPNM SCOMLUNM
Local fix
Workaround: Add RACF APPL def for hex resync port.
Problem summary
**************************************************************** * USERS AFFECTED: All Db2 users. Predominantly all * * Distributed Data Facility (DDF) * * users. * * Specifically those where Db2 is * * defined with an IPNAME value. * **************************************************************** * PROBLEM DESCRIPTION: Authorization related errors, * * including RACF ICH408I .. "NOT * * AUTHORIZED TO APPLICATION applname" * * console messages, may occur if Db2 * * is defined with an IPNAME value. * **************************************************************** * RECOMMENDATION: * **************************************************************** The user has defined Db2 with an IPNAME value via the DDF statement of the DSNJU003 (Change Log Inventory) utility. The definition of the IPNAME value can be observed via the DSNJU004 (Print Log Map) utility or via the DSNL084I message of the -DISPLAY DDF command report. The user has also defined RACF permission/authorization rules based on this IPNAME value as the RACF APPL Class. In this environmental condition, local applications may suffer authorization failures. The user specifically reported message DSNU1122I relative to the Db2 REORG utility. The failures will be accompanied by RACF message ICH408I .. "NOT AUTHORIZED TO APPLICATION applname" being issued to the z/OS console, where "applname" essentially reflects the character representation of the hexadecimal equivalent of the Db2 subsystem Resync Port value (as observed via the DSNL084I message of the -DISPLAY DDF command report - RESPORT). Example: ICH408I .. NOT AUTHORIZED TO APPLICATION H389 In this case, the applname value is derived from the 5001 resync port value (DSNL084I RESPORT). The hexadecimal equivalent of 5001 is 1389x and the character 'H' is substituted for the (first) character '1'. Substitution occurs if the first character is '0' (zero) though '9' (nine), in which case the characters 'G' through 'P' are substituted. The problem occurs because Db2 establishes an incorrect default APPLNAME value to be passed to RACF (when verifying a user's authority) if Db2 is defined with an IPNAME value. The incorrect default APPLNAME value is utilized only for local related applications. Distributed work, relative to remote applications that access Db2 as a server, are not affected. This APPL application name is used for RACF authorization of - Db2 DISPLAY DATABASE command Db2 Utility Reorg DISPLAY CLAIMERS command. The application name should be defined to the security server and userids that require these commands should be permitted by the security server. ICH408I USER(authid) NOT AUTHORIZED TO APPLICATION applname
Problem conclusion
Db2 has been changed to establish a correct default APPLNAME value to be passed to RACF when an IPNAME value is defined.
Temporary fix
Comments
APAR Information
APAR number
PH04163
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
B10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-10-17
Closed date
2018-12-11
Last modified date
2022-03-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI60189 UI60193
Modules/Macros
DSN3AUCN
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"DB2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0"}]
Document Information
Modified date:
03 March 2022