Under native DB2 security, many DB2 security administrators use secondary authIDs to simplify DB2 security administration.  DB2 provides two exits that let you inspect or modify a user's identity to DB2, [email protected] and [email protected] CA-ACF2 provides two sample exits that you can use instead of IBM - supplied default exits, library ACF2.CX1xxMLD (where xx is the release of ACF2), members [email protected] and [email protected] 

How do I know if ACF2 is sending secondary authids to DB2 during the signon?

CA ACF2 can send a WTO for the first 1/2 dozen secondary authIds by modifying the exits that are being used.  

$WTOFLAG DC    C'N'    

Either change this to a Y and re-assemble and re-insert the exit in the DB2 exit points, or zap the offset in the module.  

The WTO messages can be one of the five coded in the exits:

$WTOMSG1 WTO   'ACFS3ATH-001: PRIMARY ID; XXXXXXXX SQL ID; XXXXXXXX',  X

               ROUTCDE=(11),MF=L                                        

WTOLEN1  EQU   *-$WTOMSG1                                               

$WTOMSG2 WTO   'ACFS3ATH-002: PRIMARY ID; XXXXXXXX',                   X

               ROUTCDE=(11),MF=L                                        

WTOLEN2  EQU   *-$WTOMSG2                                               

$WTOMSG3 WTO   'ACFS3ATH-003: SSL RC=XXX; COUNT=XXX; LIST IDS; XXXXXXXXX

               YYYYYYYYZZZZZZZZ',ROUTCDE=(11),MF=L                      

WTOLEN3  EQU   *-$WTOMSG3                                               

$WTOMSG4 WTO   'ACFS3ATH-004: SQL ID; XXXXXXXX',                       X

               ROUTCDE=(11),MF=L                                        

WTOLEN4  EQU   *-$WTOMSG4                                               

$WTOMSG5 WTO   'ACFS3ATH-005: DB2 CONNECTION PARAMETER LIST IS IN ERRORX

               ',ROUTCDE=(11),MF=L