Under native DB2 security, many DB2 security administrators use secondary authIDs to simplify DB2 security administration. DB2 provides two exits that make it possible to inspect or modify a user's identity to DB2, DSN3@SGN and DSN3@ATH. ACF2 provides two sample exits that can be used instead of IBM - supplied default exits, library ACF2.CX1xxMLD (where xx is the release of ACF2), members ACF3@SGN and ACF3@ATH. 

How to make sure that ACF2 is sending secondary authids to DB2 during the signon?

ACF2 can send a WTO for the first 6 secondary authIds by modifying the exits that are being used.  

$WTOFLAG DC    C'N'    

Either changing this to a Y and re-assemble and re-inserting the exit in the DB2 exit points, or zap the offset in the module.  

The WTO messages can be one of the five coded in the exits:

$WTOMSG1 WTO   'ACFS3ATH-001: PRIMARY ID; XXXXXXXX SQL ID; XXXXXXXX',  X

               ROUTCDE=(11),MF=L                                        

WTOLEN1  EQU   *-$WTOMSG1                                               

$WTOMSG2 WTO   'ACFS3ATH-002: PRIMARY ID; XXXXXXXX',                   X

               ROUTCDE=(11),MF=L                                        

WTOLEN2  EQU   *-$WTOMSG2                                               

$WTOMSG3 WTO   'ACFS3ATH-003: SSL RC=XXX; COUNT=XXX; LIST IDS; XXXXXXXXX

               YYYYYYYYZZZZZZZZ',ROUTCDE=(11),MF=L                      

WTOLEN3  EQU   *-$WTOMSG3                                               

$WTOMSG4 WTO   'ACFS3ATH-004: SQL ID; XXXXXXXX',                       X

               ROUTCDE=(11),MF=L                                        

WTOLEN4  EQU   *-$WTOMSG4                                               

$WTOMSG5 WTO   'ACFS3ATH-005: DB2 CONNECTION PARAMETER LIST IS IN ERRORX

               ',ROUTCDE=(11),MF=L