LUWID in the messages. How do I trace the TCP/IP address and port to understand the location/user it

Cuneyt Goksu

LUWID in the messages. How do I trace the TCP/IP address and port to understand the location/user it
Faydalı bir note.



---




<http://www-01.ibm.com/support/docview.wss?uid=swg21055269&myns=swgimgmt&myn
p=OCSSEPEK&mynp=OCSSEPDU&mync=E&cm_sp=swgimgmt-_-OCSSEPEK-OCSSEPDU-_-E>
http://www-01.ibm.com/support/docview.wss?uid=swg21055269&myns=swgimgmt&mynp
=OCSSEPEK&mynp=OCSSEPDU&mync=E&cm_sp=swgimgmt-_-OCSSEPEK-OCSSEPDU-_-E





Question

How do I trace the TCP/IP address and port from LUWID in message?

Answer

There is a simple way to determine the IP address that sent the request. DB2
ConnectT generates the TCP/IP LUWID based on the client's IP address. By
decoding the display of LUWID in messages, you can determine the IP address
of the user who triggered the message and catch unauthorized use of an ID.

As an example, here is some output from the DSNL030I message:

**********************************************************
DSNL030I-DB2B DSNLTSEC DDF PROCESSING FAILURE FOR
LUWID=J56F045C.G422.B6D833AB804D
AUTHID=qhmcdjk, REASON=00D31050
**********************************************************

TCP/IP LUWIDs are based on the client's IP address, port number, and a
unique sequence number. In the example, the LUWID =
J56F045C.G422.B6D833AB804D.

J56F045C represents the TCP/IP address. G422 is the port number. And
B6D833AB804D is the unique sequence number. How are there numbers decoded?

* J56F045C represents the TCP/IP address in hexadecimal. To provide
coexistence with SNA, where SNA LUWIDs must begin with a letter ('A' through
'Z'), the first TCP/IP hexadecimal digit is converted to a character that
ranges from 'G' through 'P' where:
G=0, H=1, I=2, J=3, K=4, L=5, M=6, N=7, O=8, P=9.

Therefore, J56F045C is equivalent to 356F045C (or 35.6F.04.5C). Converting
from hexadecimal to decimal, 35.6F.04.5C is equal to 53.111.4.92.



* G422 represents the port number. Following the numbering
conventions of the previous field (where G=0), G422 is generated from port
number 1058.



So, in this example, the unauthorized user is initiating the request from IP
address 53.111.4.92 using port number 1058.

Note that, DB2 now includes THREAD INFO in messages if the client is setting
the information via SET CLIENT special register. This may provide further
information on the end user if TCP/IP decoded is not the end user but it is
gateway instead.

_________________________________________________________
Mehmet Cuneyt Goksu
IBM Certified Consulting IT Specialist
IBM zAnalytics Platform - Technical, MEA Leader
zChampion for Big Data and Analytics
Mobile: +905303171427
Email : [login to unmask email]
<http://www.ibm.com/mainframe50> http://www.ibm.com/mainframe50