EXTENDED SECURITY field (EXTSEC subsystem parameter)
The EXTSEC subsystem parameter specifies how two related security options are to be set. These settings control what happens when a DDF connection has security errors and whether RACF® users can change their passwords through the DRDA change password function.
| Acceptable values: | YES, NO |
|---|---|
| Default: | YES |
| Update: | option 46 on panel DSNTIPB |
| DSNZPxxx: | DSN6SYSP EXTSEC |
| Subsystem parameter: | Yes |
- YES
- Detailed reason codes are returned to a DRDA level 3 client when a DDF connection request
fails because of security errors. When using SNA protocols, the requester
must have included a product that supports the extended security sense
codes. One such product is Db2 Connect.
RACF users can change their passwords by using the DRDA change password function. This support is only for DRDA requesters that have implemented support for changing passwords.
- NO
- Generic error codes are returned to the clients and RACF users are prevented from changing their passwords.
Recommendation: Specify
a value of YES. This setting allows properly enabled DRDA clients to determine the cause of security
failures without requiring Db2 operator
support. A value of YES also allows RACF users
on properly enabled Db2 clients
to change their passwords.
Note: This is a security-related parameter. When this
parameter is set to YES, detailed reason codes are returned to the
client when a DDF connection request fails because of security errors
that might enable more malicious attacks. If this parameter is set
to YES, RACF users can change their passwords by using the DRDA change
password function.