User credentials and supported authentication methods
Data Virtualization uses your Cloud Pak for Data credentials to connect to the service.
- Authorization
Cloud Pak for Data users who are authorized can connect to and use Data Virtualization.
Data Virtualization roles are used for authorization, independently of group membership. Data Virtualization uses role-based access control for database-level and object-level authorization.Data Virtualization follows authorization based on the Db2® Authorities and Privilege model. For details, see Privileges.
- Authentication
- If you authenticate to Data Virtualization directly
by using JDBC client applications or when prompted in different scenarios, such as, when previewing
assets in the catalog, project, etc., you must specify the Cloud Pak for Data user name and password.
A Data Virtualization Admin must explicitly add Cloud Pak for Data users to the Data Virtualization service in order for these users to authenticate to the service directly. When the Data Virtualization Admin adds a Cloud Pak for Data user to the service, a Data Virtualization role is assigned to the user.
Data Virtualization supports the following authentication methods:
User name and password
You can connect with a user name and password.
- JDBC user name and password
- When you connect with a user name and password, three different security mechanisms are
supported: clear text password, encrypted password, and encrypted user ID and password.
Table 1. JDBC user name and password ID Security method Description 3 CLEAR_TEXT_PASSWORD_SECURITY User ID and password 7 ENCRYPTED_PASSWORD_SECURITY User ID and encrypted password 9 ENCRYPTED_USER_AND_PASSWORD_SECURITY Encrypted user ID and encrypted password If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the
encryptionAlgorithm=2
property.The following examples show the commands to connect with and without secure sockets layer (SSL):
- SSL
-
"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id;sslConnection=true"
- Non-SSL
-
"jdbc:db2://Host_name_or_IP_address:DV_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id"
Where:Table 2. Variables required to connect to the service Variable name Description Host_name_or_IP_address The host name or IP address of the Cloud Pak for Data instance. DV_SSL_port The port number of the Data Virtualization SSL instance. DV_port The port number of the Data Virtualization instance. Database_name The name of the database. User_name The Cloud Pak for Data user name. Password The Cloud Pak for Data password Security_mechanism_id One of the values in the ID column from the JDBC user name and password table. - Command line processor (CLP) user name and password
- Connect to the database server Database_server_name with a Cloud Pak for Data user name and password by running the following
command at the CLP command prompt or from a
script:
CONNECT TO Database_server_name USER User_name USING Password
- CLPPlus user name and password
- Connect to the DSN alias (
@Data_source_name
) with a Cloud Pak for Data user name and password by running the following command at the CLPPLUS command prompt or from a script:CONNECT User_name/Password@Data_source_name
User name requirements
Data Virtualization requires user names to conform the
Db2
authorization-name
identifier requirements.
authorization-name
is defined as an identifier that
designates a user, group, or role. For a user or a group:- Valid characters are: 'A' through 'Z'; 'a' through 'z'; '0' through '9'; '#'; '@'; '$'; '_'; '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'.
- The following characters must be delimited with quotation marks when entered through the command line processor: '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'.
- The name must not begin with the characters 'SYS', 'IBM', or 'SQL'. *
- The name must not be: 'ADMINS', 'GUESTS', 'LOCAL', 'PUBLIC', or 'USERS'.*
- A delimited authorization ID must not contain lowercase letters.
Error: There is an internal error.
Please refresh this page if it does not behave properly.
The operation failed because the specified authorization name does not meet the identifier naming rules. Authorization name: <authorization name>
BIGSQL
*BLUADMIN
*ICP4D-DEV
*CACHEADMIN
*DMCUSER
*
JWT tokens
You can connect with JSON Web Tokens (JWT).
- JDBC access token
-
"jdbc:db2://Host_name_or_IP_address/Database_name:accessToken=Access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
Where Access_token is the Cloud Pak for Data platform or instance token.
- CLP access token
- Connect to the database server Database_server_name and pass the access token
by running the following command at the CLP command prompt or from a
script:
CONNECT TO Database_server_name ACCESSTOKEN Access_token
- CLPPlus access token
- Connect to the DSN alias (
@Data_source_name
) and pass the access token by running the following command at the CLPPLUS command prompt or from a script:CONNECT @Data_source_name using(accesstoken Access_token)
API keys
You can connect by providing an API key.
- JDBC API key
Where API_key is the Cloud Pak for Data platform or instance API key."jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:apiKey=User_name:API_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
- CLP API key
- Connect to the database server Database_server_name with an API key by
running the following command at the CLP command prompt or from a
script:
CONNECT TO Database_server_name APIKEY User_name:API_key
- CLPPlus API key
- Connect to the DSN alias (
@data_source_name
) with an API key by running the following command at the CLPPLUS command prompt or from a script:CONNECT @Data_source_name using(apikey User_name:API_key)
External providers
Connections through external providers are supported.
- External LDAP
- Data Virtualization supports LDAP that is used to manage access to the Cloud Pak for Data platform. For details, see Connecting to your LDAP server.