Configuring security for a REST client connection to Db2

REST connections to Db2® can be configured to support either or both HTTPS connection and userid/password.

HTTPS connections

zosConnect-2.0 Applies to zosConnect-2.0.

HTTPS can be used to secure a connection to ensure that the data transferred between the two parties is encrypted and that each party is able to validate the identity of the other party.

The client side of the TLS connection can be configured either in the z/OS® Connect server.xml configuration file or by using Application Transparent Transport Layer Security (AT-TLS). For more information about configuring AT-TLS, see A launch icon to indicate a link opens a new tab or window. Using Application Transparent Transport Layer Security (AT-TLS) in the z/OS documentation.

For information about configuring the server side of the TLS connection, see the Db2 product documentation.

User authentication

A user ID and password or PassTicket can be used to authenticate that the user is able to call the Db2 endpoint.

User authentication can be used with HTTP or HTTPS connections. Db2 RESTful services support authentication by using basic authentication, PassTicket authentication, or for TLS client authentication, the client certificate can be mapped to a SAF user ID.

Note: Db2 for z/OS RESTful services do not support the use of RACF-protected user IDs for PassTicket authentication. This is a permanent restriction that is documented by A launch icon to indicate a link opens a new tab or window.

APAR PH12603 titled ENABLE REST SERVICE REQUESTS TO UTILIZE RACF PASSTICKETS WITH PROTECTED USERIDS FOR AUTHENTICATION. However, if you use TLS client authentication to authenticate, then Db2 for z/OS does support the client certificate that is mapped to a RACF-protected user ID.