How do I know if ACF2 is sending secondary authids to DB2 during the signon?

Document ID : KB000014805
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Under native DB2 security, many DB2 security administrators use secondary authIDs to simplify DB2 security administration.  DB2 provides two exits that let you inspect or modify a user's identity to DB2, DSN3@SGN and DSN3@ATH. CA-ACF2 provides two sample exits that you can use instead of IBM - supplied default exits, library ACF2.CX1xxMLD (where xx is the release of ACF2), members ACF3@SGN and ACF3@ATH. 

Question:

How do I know if ACF2 is sending secondary authids to DB2 during the signon?

Answer:

CA ACF2 can send a WTO for the first 1/2 dozen secondary authIds by modifying the exits that are being used.  

$WTOFLAG DC    C'N'    

Either change this to a Y and re-assemble and re-insert the exit in the DB2 exit points, or zap the offset in the module.  

Additional Information:

The WTO messages can be one of the five coded in the exits:

$WTOMSG1 WTO   'ACFS3ATH-001: PRIMARY ID; XXXXXXXX SQL ID; XXXXXXXX',  X

               ROUTCDE=(11),MF=L                                        

WTOLEN1  EQU   *-$WTOMSG1                                               

$WTOMSG2 WTO   'ACFS3ATH-002: PRIMARY ID; XXXXXXXX',                   X

               ROUTCDE=(11),MF=L                                        

WTOLEN2  EQU   *-$WTOMSG2                                               

$WTOMSG3 WTO   'ACFS3ATH-003: SSL RC=XXX; COUNT=XXX; LIST IDS; XXXXXXXXX

               YYYYYYYYZZZZZZZZ',ROUTCDE=(11),MF=L                      

WTOLEN3  EQU   *-$WTOMSG3                                               

$WTOMSG4 WTO   'ACFS3ATH-004: SQL ID; XXXXXXXX',                       X

               ROUTCDE=(11),MF=L                                        

WTOLEN4  EQU   *-$WTOMSG4                                               

$WTOMSG5 WTO   'ACFS3ATH-005: DB2 CONNECTION PARAMETER LIST IS IN ERRORX

               ',ROUTCDE=(11),MF=L