00D31059 on DB2 9 for z/OS

Darren Kilpatrick

00D31059 on DB2 9 for z/OS
Hello,
I am getting a resource unavailable message with the code 00D31059 Type 1004 when connecting to a remote DB2. Both DB2 systems are DB2 9 NFM for z/OS. I have set up the entries in Ipnames and Locations catalog tables. I am using the DSNREXX plan, and have put the owner name for the plan on each system in the usernames table (authid and newauthid columns). I also put my id in that table as well. Type 1004 is Location.AuthorizationID.Plan. The odd thing is that it references the Local subsystem, my ID on the Remote system, and plan name (DB2W.A999X99.DSNREXX). Also, the error message also mentions a RACF PassTicket. Does something need to be set up in VTAM for that?

_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* Your only source for independent, unbiased, and trusted DB2 information. *
** The best DB2 technical sessions in the world
** Independent, not-for-profit, User Run - the IDUG difference!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

James Campbell

Re: 00D31059 on DB2 9 for z/OS
(in response to Darren Kilpatrick)
Explanation: An attempt to allocate a conversation to the remote site failed because DB2 was unable to obtain a RACF PassTicket. The user specified an 'R' in the SECURITY_OUT(see below) column of the SYSIBM.IPNAMES and/or SYSIBM.LUNAMES communications database (CDB) tables for the partner site. As a result, DB2 invokes RACF to extract a PassTicket for the partner site. However, RACF could not provide a PassTicket, and the attempt failed.



The error usually occurs due to incorrect or missing RACF definitions. To avoid this error, specify the proper RACF definitions to provide for the PassTicket. Alternatively, you may avoid the use of PassTickets by changing the SECURITY_OUT column of the SYSIBM.IPNAMES and/or SYSIBM.LUNAMES CDB table for the partner site. For information regarding PassTickets, refer to Part 3 (Volume 1) of DB2 Administration Guide.


SECURITY_OUT:
The value that is used for an outbound request is either the DB2 user's authorization ID or a translated ID, depending on the value in the USERNAMES column. The translated ID is used to build the RACF PassTicket. Do not specify R for CONNECT statements with a USER parameter.





Jim Campbell

Sr. Database Administrator

360-704-4015

[login to unmask email]



-----Original Message-----
From: IDUG DB2-L [mailto:[login to unmask email] On Behalf Of Darren Kilpatrick
Sent: Thursday, December 23, 2010 6:10 AM
To: [login to unmask email]
Subject: [DB2-L] 00D31059 on DB2 9 for z/OS



Hello,

I am getting a resource unavailable message with the code 00D31059 Type 1004 when connecting to a remote DB2. Both DB2 systems are DB2 9 NFM for z/OS. I have set up the entries in Ipnames and Locations catalog tables. I am using the DSNREXX plan, and have put the owner name for the plan on each system in the usernames table (authid and newauthid columns). I also put my id in that table as well. Type 1004 is Location.AuthorizationID.Plan. The odd thing is that it references the Local subsystem, my ID on the Remote system, and plan name (DB2W.A999X99.DSNREXX). Also, the error message also mentions a RACF PassTicket. Does something need to be set up in VTAM for that?



_____________________________________________________________________

* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *

* Your only source for independent, unbiased, and trusted DB2 information. *

** The best DB2 technical sessions in the world

** Independent, not-for-profit, User Run - the IDUG difference!

_____________________________________________________________________



If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* Your only source for independent, unbiased, and trusted DB2 information. *
** The best DB2 technical sessions in the world
** Independent, not-for-profit, User Run - the IDUG difference!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

James Campbell

Re: 00D31059 on DB2 9 for z/OS
(in response to James Campbell)
Forgot to add this:



Generating and using RACF PassTickets

A PassTicket is a program-generated character string that can be used in place of a password, with the following constraints:

· A specific PassTicket may be used for authentication once.

· The PassTicket must be used within 10 minutes of being generated.

· To ease the problem of system time differences, a specific PassTicket can be used up to 10 minutes earlier or later in a target system, compared to the generating system.

·

Front end programming interface (FEPI) security can generate a PassTicket for use on a target system. The PassTicket can be used anywhere a password can be used.



Note: The PassTicket generation and validation algorithm means that the system that creates the PassTicket and the system that validates it must both use the same level of this function. That is, if the creating system has the function applied, and the validating system does not, the PassTicket is invalid.

For more information about the system time differences, and the use of the PassTicket within the 10 minute interval, see the z/OS Security Server RACF Security Administrator's Guide.



Use the PTKTDATA resource class to define profiles that contain the encryption key used for generating and validating PassTickets.



A profile is added for each APPLID that receives sign-ons with PassTickets.

The format of the command to add profiles is:



RDEFINE PTKTDATA

applid

SSIGNON(KEYMASKED(

password-key))

KEYENCRYPTED(

password-key))Parent topic: Security facilities in CICS



Related information


Can also be found in: http://publib.boulder.ibm.com/infocenter/cicsts/v4r1/topic/com.ibm.cics.ts.doc/pdf/dfht5_pdf.pdf

Jim Campbell
Sr. Database Administrator
360-704-4015
[login to unmask email]<mailto:[login to unmask email]>



-----Original Message-----
From: IDUG DB2-L [mailto:[login to unmask email] On Behalf Of Darren Kilpatrick
Sent: Thursday, December 23, 2010 6:10 AM
To: [login to unmask email]
Subject: [DB2-L] 00D31059 on DB2 9 for z/OS



Hello,

I am getting a resource unavailable message with the code 00D31059 Type 1004 when connecting to a remote DB2. Both DB2 systems are DB2 9 NFM for z/OS. I have set up the entries in Ipnames and Locations catalog tables. I am using the DSNREXX plan, and have put the owner name for the plan on each system in the usernames table (authid and newauthid columns). I also put my id in that table as well. Type 1004 is Location.AuthorizationID.Plan. The odd thing is that it references the Local subsystem, my ID on the Remote system, and plan name (DB2W.A999X99.DSNREXX). Also, the error message also mentions a RACF PassTicket. Does something need to be set up in VTAM for that?



_____________________________________________________________________

* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *

* Your only source for independent, unbiased, and trusted DB2 information. *

** The best DB2 technical sessions in the world

** Independent, not-for-profit, User Run - the IDUG difference!

_____________________________________________________________________



If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* Your only source for independent, unbiased, and trusted DB2 information. *
** The best DB2 technical sessions in the world
** Independent, not-for-profit, User Run - the IDUG difference!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv