EDC5111I Permission denied. (errno2=0x0BE80000) with Passticket signon

Document ID : KB000016717
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Resolving a EDC5111I Permission denied. (errno2=0x0BE80000)  when signing on with a passticket.

Question:

We are running into a problem with a function that calls to USS. I believe some permissions may not be set up for the BPX.SERVER.FACILITY or BPX.DAEMON.FACILITY Class. It looks ok to us at this point so we would like to confirm with CA. We can provide the sysout and a trace as well as the listing for the DB2 Administrative Task Scheduler and ACID. This is the DB2 Administrative Task Scheduler.

(TTHD000) Execution begins at time 2017-09-27-11.19.57.000000
(TTHD000) num invocations = 1
(TTHD000) PassTicket generated for user = "A810274"
(TTHD000) cannot login RC = -1
(TTHD000) pthread_security_np() errno = 111
(TTHD000) EDC5111I Permission denied. (errno2=0x0BE80000)
(TTHD000) Execution status NOTRUN
(TTHD000) Execution ends at time 2017-09-27-11.19.57.000000

Answer:

Need SIGNMULTI keyword when defining the passticket definitions to CA Top Secret:

TSS ADD(NDT) PSTKAPPL(applid)  SESSKEY(xxxx) SIGNMULTI

SIGNMULTI means that the passticket can be used more than once during its lifespan. If the passticket is used a second time, it will fail. I would add it and see if it takes care of the problem. If not, I will see what I can find in the traces.

Documented here:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/invoked-subfunctions/controlling-applications-that-invoke-r_ticketserv-r_gensec