IBM Support

PM16903: DB2 FOR Z/OS AES ENCRYPTION REJECTED IF ICSF SERVICES ARE NOT AVAILABLE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • DB2DDF DDFL09 defect pm16903 dpm16903
DB2 9 for z/os server rejects or fails the connection if AES
encryption is requested but for some reason ICSF services are
not available.

Customer may see on DB2 for z/os server the following:
DSNL030I from DSNLTSEC with reason=00F30085

Application may receive
-30082 RC 15.SECURITY FAILURE  :0A:0000000C

DB2 z/os logs or syslogs on both sides may show:
DSNL045I with DSNLCICF for miscellaneous ICSF api's with
RETCODE='0000000C'X AND RSNCODE='00000000'X

******************************************************
Additional keywords and symptoms:
  SQLCODE30082 SQLCODE -30082 SQLN30082 SQL30082N
  DSNL045I
  DSNL030I DSNLTSEC
  SECMEC 9 AES
  MSGDSNL046I DSNL046I ICSF NOT ENABLED message condition if
    ICSF is not started at server.

Local fix

  • no local workaround

Problem summary

  • ****************************************************************
* USERS AFFECTED: All Distributed Data Facility (DDF) users.   *
*                 Specifically where a DB2 9 for z/OS NFM      *
*                 requester system is configured to send       *
*                 security credentials when accessing a        *
*                 remote server.                               *
****************************************************************
* PROBLEM DESCRIPTION: A DB2 9 for z/OS outbound connection    *
*                      receives the following:                 *
*                       SQLCODE -30082, ERROR: CONNECTION      *
*                       FAILED FOR SECURITY REASON 15          *
*                       (SECURITY_FAILURE     :0A)             *
*                       SQLERRP=DSNLTAS1                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
DB2 9 for z/OS APAR PK56287 introduced Advance Encryption
Standard (AES) support for encryption and decryption
processing of the user ID and password during remote
connection authentication processing. Requester and server
support was provided. Specifically, for requester AES support,
when an outbound connection request contains a user ID and a
password DB2 will implicitly default to use AES to encrypt the
user ID and password if cryptographic services are available
and the server supports encryption.
In this case, the server indicated that it supports encryption
but the outbound connection request was unsuccessful. This
occurred because the server's cryptographic environment (to
support AES) was unavailable and thus the server was unable to
decrypt the AES protected security credentials. Further
connection requests to the same remote location will continue
to fail until the server's cryptographic environment becomes
available.

Problem conclusion

  • DB2 9 for z/OS requester processing has been changed to ensure
that an outbound connection request will be established
despite the server's cryptographic environment. In other
words, if the outbound connection request using AES protection
is unsuccessful, DB2 will implicitly reestablish the outbound
connection request using DES protection. If the use of DES
protection for the outbound connection request is
unsuccessful, DB2 will implicitly reestablish the outbound
connection request by sending the user ID and password in
clear text to the remote partner.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM16903
    • 

  • Reported component name
    DB2 OS/390 & Z/
    • 

  • Reported component ID
    5740XYR00
    • 

  • Reported release
    910
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-06-21
    • 

  • Closed date
    2010-09-02
    • 

  • Last modified date
    2010-10-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK60222
    

    • 



Modules/Macros


    

  • DSNDTRAN DSNLTAS1 DSNLTCCN DSNLTEXC

    



Fix information


    

  • Fixed component name
    DB2 OS/390 & Z/
    • 

  • Fixed component ID
    5740XYR00
    • 



Applicable component levels


    

  • R910  PSY  UK60222
       UP10/09/18  P  F009
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 October 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback