Have a DB2 sub-system, and trying to setup remote DRDA communications to this DB2 server.

This Lpar is running ACF2 not RACF like the other Lpars.

DB2 error message is as follows:

DSNL030I  #DT2B DSNLTSEC.39 DDF PROCESSING FAILURE 071    FOR   LUWID="luwid"   REASON=00D30116  THREAD-INFO=nnn

00D30116

Explanation

Authentication of a remote user was rejected by DB2.

The TCPALVER (TCP/IP Already Verified) subsystem parameter has been set to SERVER_ENCRYPT and the user ID and password authentication that was provided is not allowed because the password could

not be evaluated to be a RACF PassTicket.

This error is likely to result from the following causes:

• The RACF PTKTDATA class is inactive, or the resource (IRRPTAUTH.application.target-userid) is not defined to z/OS.

• The RACF PTKTDATA class is active and the resource IRRPTAUTH.application.target-userid is defined to z/OS but the user ID associated to ssnmDIST started task is not permitted to use it.

• The password provided is not a valid RACF

PassTicket.

System action

The remote access attempt to Db2 is rejected, and the connection is terminated.

System programmer response

Ensure that the RACF PTKTDATA class is active, or the resource IRRPTAUTH.application.target-userid is defined and the user ID associated to ssnmDIST started task is permitted to access this resource, and try the remote request again

1) Under ACF how to tell if the PTKTDATA class is active?

2) If PTKTDATA is not active, how to activate it?

3) How to check and define if IRRPTAUTH.*DIST.*DIST is defined?

4) If not defined, would like to define it.  Note the "*DIST", would like to use wildcards in the definition if possible.

Is the wildcard char in ACF2 "*" or "-"?

5) The userid will be "*DIST" also.  Assume can grant it read.

Product: ACF2

To understand how to set this security on the ACF2 side, please see  PTKTDATA Profile Record in the ACF2 documentation as it contains step by step instructions for working with passtickets. If you have RACF instructions, ACF2 Team can directly translate them.

1) Under ACF how to tell if the PTKTDATA class is active?

This is not a thing in ACF2 as in there is no such thing as "activation" of a resource class. There needs to be a PTKTDATA profile record that matches the APPLID of the target application the PassTicket is being generated for. 

To view all PTKTDATA profile records:

SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
LIST LIKE(-)

2) If PTKTDATA is not active, how to activate it?

See above.

3) How to check and define if IRRPTAUTH.*DIST.*DIST is defined?

SET R(PTK)
LIST LIKE(IRRPTAUTH-)

4) If not defined, would like to define it.  Note the "*DIST", would like to use wildcards in the definition if possible.

Is the wildcard char in ACF2 "*" or "-"?

SET R(PTK)
RECKEY IRRPTAUTH ADD( *DIST.*DIST UID(uidstring) SERVICE(READ,UPDATE) ALLOW
F ACF2,REBUILD(PTK)

READ - Generate/Evaluate passticket
UPDATE - Generate passticket

A * masks one character.
A - masks 0 or more characters. See Mask in Resource Rules for more information.

5) the userid will be "*DIST" also.  Assume can grant it read.

Depends on what it's doing. If you have RACF documentation ACF2 Team can translate it.