Security plug-in problem determination

Problems with security plug-ins are reported in two ways: through SQL errors and through the administration notification log.

Following are the SQLCODE values related to security plug-ins:
  • SQLCODE -1365 is returned when a plug-in error occurs during db2start or db2stop.
  • SQLCODE -1366 is returned whenever there is a local authorization problem.
  • SQLCODE -30082 is returned for all connection-related plug-in errors.
The administration notification logs are a good resource for debugging and administrating security plug-ins. To see the an administration notification log file on UNIX, check sqllib/db2dump/instance name.N.nfy. To see an administration notification log on Windows operating systems, use the Event Viewer tool. The Event Viewer tool can be found by navigating from the Windows operating system "Start" button to Settings -> Control Panel -> Administrative Tools -> Event Viewer. Following are the administration notification log values related to security plug-ins:
  • 13000 indicates that a call to a GSS-API security plug-in API failed with an error, and returned an optional error message. 
    SQLT_ADMIN_GSS_API_ERROR (13000)
Plug-in "plug-in name" received error code "error code" from
GSS API  "gss api name" with the error message "error message"
  • 13001 indicates that a call to a Db2® security plug-in API failed with an error, and returned an optional error message. 
    SQLT_ADMIN_PLUGIN_API_ERROR(13001)
Plug-in "plug-in name" received error code "error code" from Db2
security plug-in API "gss api name" with the error message
"error message"
  • 13002 indicates that Db2 failed to unload a plug-in. 
    SQLT_ADMIN_PLUGIN_UNLOAD_ERROR (13002)
Unable to unload plug-in "plug-in name". No further action required.
  • 13003 indicates a bad principal name. 
    SQLT_ADMIN_INVALID_PRIN_NAME (13003)
The principal name "principal name" used for "plug-in name"
is invalid. Fix the principal name.
  • 13004 indicates that the plug-in name is not valid. Path separators (On UNIX "/" and on Windows "\") are not allowed in the plug-in name. 
    SQLT_ADMIN_INVALID_PLGN_NAME (13004)
The plug-in name "plug-in name" is invalid. Fix the plug-in name.
  • 13005 indicates that the security plug-in failed to load. Ensure the plug-in is in the correct directory and that the appropriate database manager configuration parameters are updated. 
    SQLT_ADMIN_PLUGIN_LOAD_ERROR (13005)
Unable to load plug-in "plug-in name". Verify the plug-in existence and
directory where it is located is correct.
  • 13006 indicates that an unexpected error was encountered by a security plug-in. Gather all the db2support information, if possible capture a db2trc, and then call IBM® support for further assistance. 
    SQLT_ADMIN_PLUGIN_UNEXP_ERROR (13006)
Plug-in encountered unexpected error. Contact IBM Support for further assistance.
Note: If you are using security plug-ins on a Windows 64-bit database server and are seeing a load error for a security plug-in, see the topics about 32-bit and 64-bit considerations and security plug-in naming conventions. The 64-bit plug-in library requires the suffix "64" on the library name, but the entry in the security plug-in database manager configuration parameters should not indicate this suffix.