DB2 RACF Access Control Exit Routine

Mohamed Esmael

DB2 RACF Access Control Exit Routine

Dear All 

we Face the problem when we try to Activate RACF Access Control as after running member DSNTIJEX and resembled it for DSNXRXAC , the below message appears

 

DSNX210I  = DSNXACAE - ACCESS CONTROL AUTHORIZATION  49   

EXIT ROUTINE ([login to unmask email]) HAS INDICATED THAT IT SHOULD NOT BE

HAS ABENDED OR HAS RETURNED AN INVALID RETURN CODE DURING  

INITIALIZATION. RETURN CODE=000C, REASON CODE=00000004.    

CUMULATIVE ABENDS DURING EXIT PROCESSING=0000.             

EXIT ROUTINE STATUS: STOPPED.                              

 

Note:- we Change on  CLASSNM to be DSNT on DSNXRXAC exit

 

 

 

James Campbell

DB2 RACF Access Control Exit Routine
(in response to Mohamed Esmael)
"No active DB2 classes"?

James Campbell

On 8 Mar 2018 at 10:30, Mohamed Esmael wrote:

>
> Dear All 
> we Face the problem when we try to Activate RACF Access Control as after running member
> DSNTIJEX and resembled it for DSNXRXAC , the below message appears
>  
> DSNX210I  = DSNXACAE - ACCESS CONTROL AUTHORIZATION  49   
> EXIT ROUTINE ([login to unmask email]) HAS INDICATED THAT IT SHOULD NOT BE
> HAS ABENDED OR HAS RETURNED AN INVALID RETURN CODE DURING  
> INITIALIZATION. RETURN CODE=000C, REASON CODE=00000004.    
> CUMULATIVE ABENDS DURING EXIT PROCESSING=0000.             
> EXIT ROUTINE STATUS: STOPPED.                              
>  
> Note:- we Change on  CLASSNM to be DSNT on DSNXRXAC exit
>  
>  

---
This email has been checked for viruses by AVG.
http://www.avg.com

Pete Suhner

RE: DB2 RACF Access Control Exit Routine
(in response to Mohamed Esmael)
Hi Mohamed,
the error message you state here is only the final one, showing us how the system will behave because of previous configuration issues. It tells us that the RACF exit is stopped and will w/o further try to restart it. Db2 will automatically revert to using internal security processing in this particular situation.

I assume that you would find a few IRR* messages just above the DSNX210I, which would provide you with more details about what happened during the initialization of the RACF exit routine.
You should be able to find more details on this behavior in the respective RedBook (SG24-7959-00, "Security Functions of IBM DB2 10 for z/OS", around pg 190 or so) - no idea whether a more recent edition is out meanwhile.

And just in case this was not a typo: the statement in DSNXRXAC should refer to CLASSNMT (as opposed to CLASSNM mentioned by you) as far as I remember. So this might be a reason for the error.

Best regards,

Pete Suhner
IDUG Board of Directors
IBM Champion for Analytics

Mohamed Esmael

RE: DB2 RACF Access Control Exit Routine
(in response to James Campbell)

The DB2 Classes are active , also i reactivated again but the same error 

Mohamed Esmael

RE: DB2 RACF Access Control Exit Routine
(in response to Pete Suhner)

Dear Pete 

Thanks for your reply , i want to inform you that we upgrade DB2 from V.10 to v.11 , also  i review IRR Message  and i found that message IRR916I which is ( RACF/Db2® EXTERNAL SECURITY MODULE WAS ASSEMBLED WITH AN [ HRF7720 OR EARLIER | HRF7730 OR LATER ] MACRO LIBRARY. Db2 ROLES AS RACF CRITERIA ARE [NOT] SUPPORTED.)

Russell Peters

RE: DB2 RACF Access Control Exit Routine
(in response to Mohamed Esmael)

Did you perhaps not assemble a new module in db2 11? I've had similar issues before where the migration process brought in a default [login to unmask email] module, or created one during the migration. Look in both the SDSNLOAD and your SDSNEXIT libraries and see if you have more than one module. If you are unsure, rename the modules and create a new one. Just a thought.

Mohamed Esmael

RE: DB2 RACF Access Control Exit Routine
(in response to Russell Peters)

Thanks Russell , it's working now :)