MFA AUTH UNUSED TIME field (MFA_AUTHCACHE_UNUSED_TIME subsystem parameter)
The MFA_AUTHCACHE_UNUSED_TIME subsystem parameter specifies how long in seconds that multi-factor authentication (MFA) security credentials from a distributed client (DRDA or REST) can remain unused in the Db2 global authentication cache before new security credentials must be provided.
An authentication cache entry is considered unused until its related MFA-based security credentials are reused by the same client IP address in a subsequent authentication request. The unused time is reset each time that the credentials are used. The authorization cache entry does not contain the text of the security credentials.
| Acceptable values: | 0, 120–7200 1 |
|---|---|
| Default: | 0 |
| Update: | Yes 2 |
| DSNZPxxx: | DSN6SPRM.MFA_AUTHCACHE_UNUSED_TIME |
| Data sharing scope: | Group |
| Security parameter: | Yes |
- A non-zero value can only be specified if the AUTHEXIT_CACHEREFRESH is set to ALL.
- Online update is supported only if the AUTHEXIT_CACHEREFRESH setting was ALL when Db2 was started. Otherwise, Db2 issues message DSNZ014I with DSNZCMD1 for load-csect-name for any online attempt to update the MFA_AUTHCACHE_UNUSED_TIME value.
- 0
- Specifies that no security credentials authenticated with MFA are cached in global authentication cache of this Db2 subsystem. In data sharing, this member does not query the authorization caches of other members for a matching authentication cache entry, and other members cannot query the authorization cache for this member.
This is the default value.
- 120–7200
-
Specifies that Db2 caches security credentials authenticated with MFA, and the time in seconds that a cache entry can remain unused. An entry is unused until the client attempts to use the same credentials for authentication on a new connection from the same IP address. The unused time is reset each time that the entry is used.
A non-zero value can only be specified if the AUTHEXIT_CACHEREFRESH is set to ALL.
However, users must provide new valid MFA credentials for a RACF user profile access change that affects the authorization ID.
Data sharing
In data sharing, if the authorization cache of the current member does not have a match, the other members are queried. If a successful match is found in the cache of another member, a corresponding entry is made in the authorization cache of the current member.
The intra-group authentication cache lookup requires that all members be started if the ICSF load library, sCSFMOD0, is in the LINKLIST of the LPAR where Db2 runs.
If the members of a data sharing group are started with different MFA_AUTHCACHE_UNUSED_TIME settings, the entire group uses the value the largest value specified for any member. For example, if member DB2A is started with a value of 120 and member DB2B is started with 7200, member DB2A requests the matching cached credentials in DB2B every 120 seconds until the cache in DB2B times out. The request for matching credentials in other members occurs only when either the cached credentials are not found in the current member or the cached credentials in the current member exceed its unused time and a new replay of the credentials has been received on a new connection request from the same IP address. For best results, set the parameter for all members of the group to the same “maximum” value.