IBM Support

PH21341: ADD DB2 FOR Z/OS TO SUPPORT THE CONTROL OF THE FREQUENCY OF A CLIENT TO SEND NEW CREDENTIALS FOR AUTHENTICATION

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • db2ddf
Add Db2 for z/OS to support the control how frequent a client
must replay its security credentials before new credentials are
required for authentication.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All Db2 12 for z/OS Distributed Data                         *
* Facility (DDF) users. Specifically those                     *
* who have distributed client applications                     *
* which utilize Multi-Factor Authentication                    *
* security credentials.                                        *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* New function is being provided to                            *
* handle successful multi-factor                               *
* authentications (MFA) from distributed                       *
* client applications.                                         *
****************************************************************
* RECOMMENDATION:                                              *
* Apply corrective PTF when available                          *
****************************************************************
Db2 has a capability called a global authentication cache and
it exists in each Db2 subsystem, whether or not the subsystem
is a member of a data sharing group. Its purpose was to
reduce the Db2 processing required to authenticate the
security credentials from a particular distributed client
application environment. The capability allowed the replay
of those successfully authenticated credentials on new
connection requests to Db2 from the client environment for
up to 3 minutes since the credentials were authenticated by
RACF. Once 3 minutes had expired, a subsequent connection
request would have the credentials re-authenticated. However,
MFA-based security credentials cannot be re-authenticated
since they can only be authenticated by RACF once. When
those client environments utilized a means of having each
connection request be routed to a different member of a Db2
data sharing group, such as a distributing DVIPA, and RACF
used a common service across the systems in a sysplex, new
MFA security credentials would have to be provided on each
new connection request. This led to significant usability
issues with those client applications. Also, some customer
environments may not allow the replay of MFA-based security
credentials.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • Db2 12 is being changed to provide a Db2 system
administrator or DBA with a way to control whether or not
a Db2 subsystem or members of a data sharing group will
cache multi-factor authentication (MFA) based security
credentials for distributed clients that are not utilizing
sysplex workload balancing or seamless failover
capabilities.
A new Db2 subsystem parameter,
DSN6SPRM.MFA_AUTHCACHE_UNUSED_TIME,
is being provided to enable the specification of a time
value where a set of security credentials from a distributed
client (DRDA or REST) authenticated with MFA can be cached,
or not, and remain "unused" in the subsystem's global
authorization cache before new security credentials must be
provided. The cached credentials are considered unused until
the same MFA-based security credentials are reused by the
same client IP address in a subsequent new connection
request. Once the credentials have been "reused", the unused
time is reset. The global authorization cache's entry will
not contain the actual text of the security credentials. If
the Db2 subsystem is a member of a data sharing group, then
the authorization caches of the other members will be
queried for matching credentials if the current member's
cache does not have a match. Once a successful match from
another member's cache is found, a corresponding entry will
be made in the current member's authorization cache. Refer
to this APAR's ++HOLD ACTION and ++HOLD DOC for details on
this new subsystem parameter.
A new message, DSN3583I, is also provided to display
the current value of the DSN6SPRM.MFA_AUTHCACHE_UNUSED_TIME
and whether or not it can be updated via the Db2
-SET SYSPARM command.  Refer to this APAR's ++HOLD DOC for
details on this new message.

Please be aware that the support provided by prior Db2 12
APAR PI94236, called sysplex group authentication, will not
be affected by this APAR. Sysplex group authentication is
utilized when the distributed client application
environments are using the IBM Data Server Drivers
(both JAVA and non-JAVA) with sysplex workload balancing or
seamless failover capabilities.

************************************************************
NOTE: If you do not take any steps to create a new or update
an existing Db2 subsystem parameters module (ZPARM) once
the PTF for this APAR has been installed and Db2 has been
started with the changes, MFA-based security credentials
provided by DRDA or REST client applications will not be
cached, and as such, will require that new MFA tokens be
provided on each connection request from those application
environments. However, distributed client application
environments which utilize sysplex workload balancing or
seamless failover capabilities will not be affected.
************************************************************

    



APAR Information




    

  • APAR number
    PH21341
    • 

  • Reported component name
    DB2 OS/390 & Z/
    • 

  • Reported component ID
    5740XYR00
    • 

  • Reported release
    C10
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-01-22
    • 

  • Closed date
    2020-08-10
    • 

  • Last modified date
    2020-09-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI70982
    

    • 



Modules/Macros


    

  • DSNTINMF DSNDQWPZ DSNWZIFC DSNTIDXA DSNTIVMD DSNTIJUZ DSNTINST
DSNTIDXC DSNTIWIA DSNTLPLK DSNTIDXB DSNTIVIA DSNTIWMD DSNTIWIE
DSNTIVIE DSNLTSEC DSNZCMD1 DSNFCDIR DSN@XAZP DSN6SPRM DSNF3DIR
DSNTXAZP DSNTIWPC DSNTIPP  DSNDSPRM DSN3AUCN DSNTIVMN DSNTIWMN
DSN3AMGP DSNTIVAF DSNTIVIN DSNTIWMS DSN3AUGC DSNTIVMS DSNTIWAF
DSNTIWIN

    



Fix information


    

  • Fixed component name
    DB2 OS/390 & Z/
    • 

  • Fixed component ID
    5740XYR00
    • 



Applicable component levels


    

  • RC10  PSY  UI70982
       UP20/08/19  P  F008
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 September 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback