Under native DB2 security, many DB2 security administrators use secondary authIDs to simplify DB2 security administration. DB2 provides two exits that let you inspect or modify a user's identity to DB2, [email protected] and [email protected] CA-ACF2 provides two sample exits that you can use instead of IBM - supplied default exits, library ACF2.CX1xxMLD (where xx is the release of ACF2), members [email protected] and [email protected]
How do I know if ACF2 is sending secondary authids to DB2 during the signon?
CA ACF2 can send a WTO for the first 1/2 dozen secondary authIds by modifying the exits that are being used.
$WTOFLAG DC C'N'
Either change this to a Y and re-assemble and re-insert the exit in the DB2 exit points, or zap the offset in the module.
The WTO messages can be one of the five coded in the exits:
$WTOMSG1 WTO 'ACFS3ATH-001: PRIMARY ID; XXXXXXXX SQL ID; XXXXXXXX', X
WTOLEN1 EQU *-$WTOMSG1
$WTOMSG2 WTO 'ACFS3ATH-002: PRIMARY ID; XXXXXXXX', X
WTOLEN2 EQU *-$WTOMSG2
$WTOMSG3 WTO 'ACFS3ATH-003: SSL RC=XXX; COUNT=XXX; LIST IDS; XXXXXXXXX
WTOLEN3 EQU *-$WTOMSG3
$WTOMSG4 WTO 'ACFS3ATH-004: SQL ID; XXXXXXXX', X
WTOLEN4 EQU *-$WTOMSG4
$WTOMSG5 WTO 'ACFS3ATH-005: DB2 CONNECTION PARAMETER LIST IS IN ERRORX