INI records in TSSUTIL for DB2 privileged acids
Article ID: 231354
Updated On:
Products
Issue/Introduction
TSSUTIL is showing a lot of INI records like this:
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- --------
10/08/20 01:10:12 aaaaa ACIDxxxx CICSyyyy CICSTEST FAIL DFHKETCB PSCHK=NO SIGNON OK INI S126734
RESOURCE TYPE & NAME : NAME=USER ACID0001
The user ACIDxxxx is a standard DB2 -plan -package owner and is an internal DB2 user so why are these records generated for this internal DB2 user in a CICS facility?
Environment
Release : 16.0
Component : Top Secret for z/OS
Cause
The LOG(INI) control option (Or LOG suboption in the facility) logs all job/session initiations and terminations.
A SAFTRACE shows this record:
TRACEID: tracid EVENT#: 01478356
JOBNAME: CICSyyyy USERID: ACIDxxxx ASID: asidnum
PROGRAM: DFHKETCB RB CURR: *IRB* APF: YES SFR/RFR: N/A
RACROUTE REQUEST=VERIFY,REQSTOR={=>}'reqstor',
SUBSYS={=>}'subsys',RELEASE=1.9.2,STAT=ASIS,SMC=YES,
ACEE={=>,STRUCTURE,=>}00000000,ENVIR=CREATE,
ENCRYPT=YES,INSTLN={STRUCTURE,=>,18C88944},LOC=ANY,
LOG=ASIS,MSGRTRN=YES,MSGSP=0,MSGSUPP=YES,PASSCHK=NO,
USERID={=>}'ACID0001',
WORKA={STRUCTURE SAFWORKA,=>,18C88A44}
This SAF record means that there is a SAF call to logon the acid ACIDxxxx so the INI record is recorded in the ATF of TSS.
Resolution
When the DB2 interface issues a sign-on for a secondary AUTHID it is done under the address space that requested the data.
So when a request comes into DB2 from a CICS address space, if a secondary AUTHID needs to be signed in, the sign-on is done under the facility that issued the initial request.
In this sample the CICS is running under facility CICSTEST . The logging option for facility CICSTEST is INIT . So when the ACID is sign-on TSS will log the INI. To stop the logging of INI remove the option from the facility.
Feedback
