User credentials and supported authentication methods

Data Virtualization uses your Cloud Pak for Data credentials to connect to the service.

Authorization

Cloud Pak for Data users who are authorized can connect to and use Data Virtualization.

Data Virtualization roles are used for authorization, independently of group membership. Data Virtualization uses role-based access control for database-level and object-level authorization.

Data Virtualization follows authorization based on the Db2® Authorities and Privilege model. For details, see Privileges.

Authentication

If you authenticate to Data Virtualization directly by using JDBC client applications or when prompted in different scenarios, such as, when previewing assets in the catalog, project, etc., you must specify the Cloud Pak for Data user name and password.

A Data Virtualization Admin must explicitly add Cloud Pak for Data users to the Data Virtualization service in order for these users to authenticate to the service directly. When the Data Virtualization Admin adds a Cloud Pak for Data user to the service, a Data Virtualization role is assigned to the user.

Data Virtualization supports the following authentication methods:

User name and password
User name requirements
JWT tokens
API keys
External providers

User name and password

You can connect with a user name and password.

JDBC user name and password

When you connect with a user name and password, three different security mechanisms are supported: clear text password, encrypted password, and encrypted user ID and password.

Table 1. JDBC user name and password
ID	Security method	Description
3	CLEAR_TEXT_PASSWORD_SECURITY	User ID and password
7	ENCRYPTED_PASSWORD_SECURITY	User ID and encrypted password
9	ENCRYPTED_USER_AND_PASSWORD_SECURITY	Encrypted user ID and encrypted password

If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the encryptionAlgorithm=2 property.

The following examples show the commands to connect with and without secure sockets layer (SSL):

SSL

"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id;sslConnection=true"

Non-SSL

"jdbc:db2://Host_name_or_IP_address:DV_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id"

Where:

Table 2. Variables required to connect to the service
Variable name	Description
`Host_name_or_IP_address`	The host name or IP address of the Cloud Pak for Data instance.
`DV_SSL_port`	The port number of the Data Virtualization SSL instance.
`DV_port`	The port number of the Data Virtualization instance.
`Database_name`	The name of the database.
`User_name`	The Cloud Pak for Data user name.
`Password`	The Cloud Pak for Data password
`Security_mechanism_id`	One of the values in the ID column from the JDBC user name and password table.

Command line processor (CLP) user name and password

Connect to the database server Database_server_name with a Cloud Pak for Data user name and password by running the following command at the CLP command prompt or from a script:

CONNECT TO Database_server_name USER User_name USING Password

CLPPlus user name and password

Connect to the DSN alias (@Data_source_name) with a Cloud Pak for Data user name and password by running the following command at the CLPPLUS command prompt or from a script:

CONNECT User_name/Password@Data_source_name

User name requirements

Data Virtualization requires user names to conform the Db2 authorization-name identifier requirements.

More specifically, an authorization-name is defined as an identifier that designates a user, group, or role. For a user or a group:

Valid characters are: 'A' through 'Z'; 'a' through 'z'; '0' through '9'; '#'; '@'; '$'; '_'; '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'.
The following characters must be delimited with quotation marks when entered through the command line processor: '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'.
The name must not begin with the characters 'SYS', 'IBM', or 'SQL'. ^*
The name must not be: 'ADMINS', 'GUESTS', 'LOCAL', 'PUBLIC', or 'USERS'.^*
A delimited authorization ID must not contain lowercase letters.

If you attempt to add a user with a user name that does not meet these requirements, you will get the following error:

Error: There is an internal error.
        Please refresh this page if it does not behave properly.

If you attempt to add the user via SQL with a user name that does not meet these requirements, you will get the following error:

The operation failed because the specified authorization name does not meet the identifier naming rules. Authorization name: <authorization name>

In addition, the following user names are reserved for functional IDs and must never be added as users in Cloud Pak for Data, or any external user management system configured for Cloud Pak for Data:

BIGSQL ^*
BLUADMIN^*
ICP4D-DEV^*
CACHEADMIN^*
DMCUSER^*

Note: ^* These names are reserved irrespective of the case.

JWT tokens

You can connect with JSON Web Tokens (JWT).

JDBC access token

"jdbc:db2://Host_name_or_IP_address/Database_name:accessToken=Access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"

Where Access_token is the Cloud Pak for Data platform or instance token.

CLP access token

Connect to the database server Database_server_name and pass the access token by running the following command at the CLP command prompt or from a script:

CONNECT TO Database_server_name ACCESSTOKEN Access_token

CLPPlus access token

Connect to the DSN alias (@Data_source_name) and pass the access token by running the following command at the CLPPLUS command prompt or from a script:

CONNECT @Data_source_name using(accesstoken Access_token)

API keys

You can connect by providing an API key.

JDBC API key

"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:apiKey=User_name:API_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"

Where API_key is the Cloud Pak for Data platform or instance API key.

CLP API key

Connect to the database server Database_server_name with an API key by running the following command at the CLP command prompt or from a script:

CONNECT TO Database_server_name APIKEY User_name:API_key

CLPPlus API key

Connect to the DSN alias (@data_source_name) with an API key by running the following command at the CLPPLUS command prompt or from a script:

CONNECT @Data_source_name using(apikey User_name:API_key)

External providers

Connections through external providers are supported.

External LDAP: Data Virtualization supports LDAP that is used to manage access to the Cloud Pak for Data platform. For details, see Connecting to your LDAP server.