A fix is available
APAR status
Closed as program error.
Error description
db2ddf Db2 message DSNL030I.43 is issued when an authentication error is detected for SSL Client Certificate access. The USERID field contains the value, '-UNKNOWN' which is incorrect. . Furthermore, an incorrect DRDA reply message (PRCCNVRM) is sent back to the remote client which is incorrect also. .
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All Distributed Data Facility (DDF) users. * * Specifically where Db2 for z/OS is accessed * * by remote DRDA clients using SSL client * * (mutual) authentication. * **************************************************************** * PROBLEM DESCRIPTION: * * ERRORCODE -4499, SQLSTATE 58017 * * communication error occurred * * unexpectedly when a remote client * * using SSL client (mutual) * * authentication accesses a Db2 for z/OS * * server. * * A DSNL030I message, reflecting * * DSNLTSEC.43 and reason 00F30072 with * * an unpredictable primary authorization * * ID value, is also issued to the system * * console. * **************************************************************** * RECOMMENDATION: * * Apply corrective PTF when available * **************************************************************** A remote client application using SSL client (mutual) authentication attempts to access a Db2 for z/OS server but the SSL client authentication fails. Db2 for z/OS message DSNL030I, reflecting DSNLTSEC.43 and reason code 00F30072, is issued to the system console. However, the DSNL030I thread-info primary authorization ID value is either missing or unpredictable. The connection is terminated but no authentication error indication is returned back to the client. In this case, the remote client (JCC driver) suffered an unexpected communication error, ERRORCODE -4499 and SQLSTATE 58017.
Problem conclusion
Db2 for z/OS server SSL client (mutual) authentication processing is changed and will now return a more appropriate reply message back to the remote client in the event of a legitimate authentication error condition.
Temporary fix
Comments
APAR Information
APAR number
PH17960
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
C10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-10-10
Closed date
2020-01-08
Last modified date
2020-02-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI67314
Modules/Macros
DSNLZSR2 DSNLTSEC
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RC10 PSY UI67314
UP20/01/16 P F001
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 February 2020