-30082   CONNECTION FAILED FOR SECURITY REASON reason-code (reason-string)

Explanation

The attempt to connect to a remote database server was rejected due to invalid or incorrect security information. The cause of the security error is described by the reason-code and reason-string values.

The possible values for reason-code and reason-string appear below:
  • 1 (PASSWORD EXPIRED) -- the password used to connect to the remote server has expired.
  • 2 (PASSWORD INVALID) -- the password used to connect to the remote server does not match the password stored at the remote server.
  • 3 (PASSWORD MISSING) -- the remote server rejected the connection request because the request did not include a password.
  • 4 (PROTOCOL VIOLATION) -- the remote server rejected the connection request because the request did not contain the proper security information. Error messages or trace records should be produced by the server system to explain the nature of the security violation.
  • 5 (USER-ID MISSING) -- the remote server rejected the connection request because the request did not specify a user-id.
  • 6 (USER-ID INVALID) -- the user-id specified in the connection request is not defined at the remote server system.
  • 7 (USER-ID REVOKED) -- the user-id specified in the connection request has been revoked.
  • 15 (SECURITY FAILURE:secchkcd:svcerrno)—Authentication failed at the remote server system. Refer to the Open Group Technical Standard, DRDA Version 3 Vol. 3: Distributed Data Management Architecture for a detailed discussion of the semantics of the DDM terms SECCHKCD and SVCERRNO.
  • 16 (NEW PASSWORD INVALID) -- the password specified on a change password request did not meet the server's requirements.
  • 17 (UNSUPPORTED FUNCTION) -- the security mechanism specified by the client is invalid for this server. Some typical examples:
    • The client is configured to send an Already Verified userid but the server does not support Already Verified userids. Client or server changes must be made to correct the inconsistency.
      • DB2® for z/OS® server acceptance of Already Verified userids over TCP/IP connections is controlled by the TCPALVER value of the DSNTIP5 installation panel (DSN6FAC TCPALVER).
      • DB2 for z/OS client usage of Already Verified userids is controlled by the SECURITY_OUT column of the SYSIBM.LUNAMES or SYSIBM.IPNAMES table.
    • The client is configured to use one of the following security mechanisms but the server does not support the mechanism:
      • Encrypted userid and encrypted security-sensitive data.
      • Encrypted userid, encrypted password, and encrypted security-sensitive data.
      Client changes must be made to correct the inconsistency.
      • DB2 for z/OS server acceptance of Already Verified userids over TCP/IP connections is controlled by the TCPALVER value of the DSNTIP5 installation panel (DSN6FAC TCPALVER).
      • DB2 for z/OS client usage of Already Verified userids is controlled by the SECURITY_OUT column of the SYSIBM.LUNAMES or SYSIBM.IPNAMES table.
    • The client is configured to use one of the following security mechanisms but the server does not support the mechanism:
      • Encrypted userid and encrypted security-sensitive data.
      • Encrypted userid, encrypted password, and encrypted security-sensitive data.
      Client changes must be made to correct the inconsistency.
      • DB2 for z/OS client usage of encryption security mechanism is controlled by the SECURITY_OUT column of the SYSIBM.IPNAMES table.
  • The client sent a new password value to a server that does not support the DRDA change password function.
  • The client sent DCE authentication information to a server that does not support DCE.
  • The client is configured to send an Already Verified userid but the server does not support Already Verified userids. Client or server changes must be made to correct the inconsistency.
    • DB2 for z/OS server acceptance of Already Verified userids over TCP/IP connections is controlled by the TCPALVER value of the DSNTIP5 installation panel (DSN6FAC TCPALVER).
    • DB2 for z/OS client usage of Already Verified userids is controlled by the SECURITY_OUT column of the SYSIBM.LUNAMES or SYSIBM.IPNAMES tables.
  • 26 (SWITCH USER INVALID) - The client is configured to request a trusted connection and switch user in the trusted connection. A trusted connection was not established and so the switch user request is invalid.

System action

The attempt to connect to the remote database server fails. If the server system is a DB2 for z/OS server, a DSNL030I message at the server system describes the cause.

Programmer response

DB2 uses the communications database (CDB) to control network security functions. Make the appropriate changes to the CDB to correct the security failure.

SQLSTATE

08001