After upgrading z/OS and ACF2, DB2 Windows App submits to DB2 failing with ACF01007 PASSWORD REQUIRED. How can this be corrected?

DB2 issues a VERIFY signon request with PASSCHK=YES, but no password is available. To handle this situation ACF2 issues an AUTH request with the class of VERPSWD and a resource of userid.NOPSWD to validate whether the address space should proceed with the signon. 'userid' is the logonid shown in the ACF01007 message. If the VERPSWD validation fails, the ACF01007 message is generated and the signon fails. If the VERPSWD validation is successful, the signon proceeds without a password.

ACF2 provides a CLASMAP to map VERPSWD to the resource type of PWD. A rule can be written to allow the DB2 id access to resource userid.NOPSWD with the type PWD, e.g., $KEY(userid.NOPSWD) TYPE(PWD). This rule will allow the signon to bypass the request for a password.

To confirm that a failed VERPSWD validation is the cause of the ACF01007 message you can set a SAF SECTRACE on the DB2 address space. An example of the expected trace output follows. 

The SECTRACE shows that the DB2 address space fails the VERIFY signon request with PASSCHK=YES. The VERIFY signon request failed because the VERPSWD validation failed. The VERPSWD validation failed in this case because there was no PWD-type rule for USER1.NOPSWD. After adding a rule to allow DB2 access to this resource, the VERPSWD validation was successful and the VERIFYX signon was successful.

From the SECTRACE(in sequence before and after):

  SMFID= SYSA         TOD= 20:05:21.29    TRACEID= TEST       USERID= DB2STC
  JOBNAME= DSNRDIST   ASID= 00BA          PGM= DSNVEUS3       CURR RB= DSNVEUS3
  SFR/RFR= N/A        MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
 
  RACROUTE REQUEST=VERIFY,RELEASE=7730,SYSTEM=YES,STAT=ASIS,SMC=YES,
           ACEE=00000000,ENVIR=CREATE,ENCRYPT=YES,ENVRIN=,
           ERROROPT=ABEND,LOC=ANY,LOG=ASIS,MSGSP=0,NESTED=NO,
           PASSCHK=YES,WORKA=

  SMFID= SYSA         TOD= 20:05:21.29    TRACEID= TEST       USERID= DB2STC
  JOBNAME= DSNRDIST   ASID= 00BA          PGM= DSNVEUS3       CURR RB= SVC222
  SFR/RFR= N/A        MODE= TASK          APF= AUTHORIZED     LOCKS= NONE  

  RACROUTE REQUEST=AUTH,REQSTOR='ACF01VAL',CLASS='VERPSWD',RELEASE=1.9,
           STATUS=NONE,ATTR=READ,DSTYPE=N,ENTITYX=('USER001.NOPSWD'),
           FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,
           USERID='........',WORKA=

  SMFID= SYSA         TOD= 20:05:21.29    TRACEID= TEST       USERID= DB2STC
  JOBNAME= DSNRDIST   ASID= 00BA          PGM= DSNVEUS3       CURR RB= SVC222
  SFR/RFR= 8/8:0      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
  SAFDEF= GENAUTH  INTERNAL MODE= GLOBAL

  RACROUTE REQUEST=AUTH,REQSTOR='ACF01VAL',CLASS='VERPSWD',RELEASE=1.9,
           STATUS=NONE,ATTR=READ,DSTYPE=N,ENTITYX=('USER001.NOPSWD'),
           FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,
           USERID='........',WORKA=

  SMFID= SYSA         TOD= 20:05:21.29    TRACEID= TEST       USERID= DB2STC
  JOBNAME= DSNRDIST   ASID= 00BA          PGM= DSNVEUS3       CURR RB= DSNVEUS3
  SFR/RFR= 8/8:0      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
  SAFDEF= VERIFY   INTERNAL MODE= GLOBAL
 
  RACROUTE REQUEST=VERIFY,RELEASE=7730,SYSTEM=YES,STAT=ASIS,SMC=YES,
           ACEE=00000000,ENVIR=CREATE,ENCRYPT=YES,ENVRIN=,
           ERROROPT=ABEND,LOC=ANY,LOG=ASIS,MSGSP=0,NESTED=NO,
           PASSCHK=YES,WORKA=

Sample Rule to address the ACF01007 error:

ACF
SET R(PWD)
RECKEY USER001 ADD( NOPSWD UID(uid DB2STC) ALLOW)

For details see ACF2 documentation section: VERPSWD .