Configuring the enhanced host based authentication (HBA2) mechanism mappings

Enhanced host based authentication (HBA2) network identities are mapped to native user identities in the same manner as host based authentication (HBA) identities.

This is described in Configuring the host based authentication (HBA) mechanism mappings.

Native identity mapping for HBA2 network identities follows the same formats and rules as those described earlier for HBA network identities. HBA2 network identities also support the same negative mappings, wildcard substitution rules, and reserved words.

Restriction: Configuring the HBA2 security mechanism for use in a peer domain is currently not supported.

To indicate that an entry in the ctsec_map.global or ctsec_map.local file refers to the enhanced host based authentication mechanism, you must begin the entry with the hba2: mnemonic.

Example: The following entry is an affirmative explicit mapping that associates the HBA2 network identifier jbrady@epsilon3.ibm.com to the local user identifier jbrady.
hba2:jbrady@epsilon3.ibm.com=jbrady
Example: The following entry illustrates a negative mapping for an HBA2 network identity.
hba2:!jbrady@epsilon3.ibm.com

The HBA2 MPM also supports the use of IP addresses in authentication, as illustrated in the following examples.

Example: The following entry is an affirmative explicit mapping using an IP address.
hba2:jbrady@9.117.10.14=jbrady
Example: The following entry is a negative mapping using an IP address.
hba2:!jbrady@9.117.10.14

As with the HBA mechanism, the HBA2 mechanism can authenticate using host names from some cluster nodes and IP addresses from other cluster nodes. In these cases, it is best to create multiple mapping entries for the same host—one that uses the host name of the remote cluster node and one for each IP address supported by the remote cluster node.

Example: The following entries map the same node by host name and by IP address.
hba2:jbrady@epsilon2.ibm.com=jbrady
hba2:jbrady@9.117.10.14=jbrady
hba2:jbrady@9.118.102.49=jbrady