Connecting and authenticating to the Watson Query service
Watson Query uses your Cloud Pak for Data credentials to connect to the service.
- Authorization
Cloud Pak for Data users who are authorized can connect to and use Watson Query. For more information, see Managing roles for users and groups in Watson Query.
Watson Query roles are used for authorization, independently of group membership. Watson Query uses role-based access control for database-level and object-level authorization. Watson Query follows authorization based on the Db2® Authorities and Privilege model. For more information, see Privileges.- Authentication
-
If you authenticate to Watson Query by using JDBC client applications or you are prompted when you preview assets in the catalog or project, you must specify the Cloud Pak for Data credentials.
A Watson Query Admins must explicitly add Cloud Pak for Data users to the Watson Query service in order for these users to authenticate to the service directly. When the Watson Query Admins adds a Cloud Pak for Data user to the service, a Watson Query role is assigned to the user.
Watson Query supports the following authentication methods.
Username and password
You can connect with a username and password.
- JDBC username and password
- When you connect with a username and password, three different security mechanisms are
supported: clear text password, encrypted password, and encrypted user ID and password.
Table 1. JDBC username and password Security Mechanism ID Security method Description 3 CLEAR_TEXT_PASSWORD_SECURITY User ID and password 7 ENCRYPTED_PASSWORD_SECURITY User ID and encrypted password 9 ENCRYPTED_USER_AND_PASSWORD_SECURITY Encrypted user ID and encrypted password If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the
encryptionAlgorithm=2
property.The following examples show the commands to connect with and without secure sockets layer (SSL):
- SSL
-
"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id;sslConnection=true"
- Non-SSL
-
"jdbc:db2://Host_name_or_IP_address:DV_port/Database_name:user=User_name;password=Password;securityMechanism=Security_mechanism_id"
Where:Table 2. Variables required to connect to the service Variable name Description Host_name_or_IP_address The hostname or IP address of the Cloud Pak for Data instance. DV_SSL_port The port number of the Watson Query SSL instance. DV_port The port number of the Watson Query instance. Database_name The name of the database. User_name The Cloud Pak for Data username. Password The Cloud Pak for Data password. Security_mechanism_id One of the values in the ID column from the JDBC username and password table. - Command line processor (CLP) username and password
- Connect to the database server Database_server_name with Cloud Pak for Data credentials by running the following command from
a CLP interface or from a
script:
CONNECT TO Database_server_name USER User_name USING Password
- CLPPlus username and password
- Connect to the DSN alias (
@Data_source_name
) with Cloud Pak for Data credentials by running the following command from a CLPPLUS interface or from a script.CONNECT User_name/Password@Data_source_name
Username requirements
Watson
Query requires usernames to conform to the Db2
authorization-name
identifier requirements.
authorization-name
is defined as an identifier that designates a user, group,
or role. For a user or a group, the following requirements apply.- Valid characters are A through Z, a through z, 0 through 9, #, @, $, _, !, (, ), {, }, -, ., and ^.
- The following characters must be delimited with quotation marks when entered through the command line processor !, (, ), {, }, -, ., and ^.
- The name must not begin with the characters SYS, IBM, or SQL. *
- The name must not be ADMINS, GUESTS, LOCAL, PUBLIC, or USERS.*
- A delimited authorization ID must not contain lowercase letters.
Error: There is an internal error. Please refresh this page if it does not behave properly.
The operation failed because the specified authorization name does not meet the identifier naming rules. Authorization name: <authorization >
SYSIBM
*DB2INST1
*CACHEADMIN
*DMCUSER
*DB2FENC1
*ICP4D-DEV
*
JWT tokens
You can connect with JSON Web Tokens (JWT).
- JDBC access token
-
"jdbc:db2://Host_name_or_IP_address/Database_name:accessToken=Access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
Where Access_token is the Cloud Pak for Data platform or instance token.
- CLP access token
- Connect to the database server Database_server_name and pass the access token by running the following command from a CLP interface or from a script.
- CLPPlus access token
- Connect to the DSN alias (
@Data_source_name
) and pass the access token by running the following command from a CLPPLUS interface or from a script.
API keys
You can connect by providing an API key.
- JDBC API key
-
"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:apiKey=User_name:API_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
- CLP API key
- Connect to the database server Database_server_name with an API key by
running the following command from a CLP interface or from a
script.
CONNECT TO Database_server_name APIKEY User_name:API_key
- CLPPlus API key
- Connect to the DSN alias (
@data_source_name
) with an API key by running the following command from a CLPPLUS interface or from a script.
External providers
You can connect by using external providers.
- External LDAP
- Watson Query supports LDAP that is used to manage access to the Cloud Pak for Data platform. For more information, see Connecting to your LDAP server.
Developers
An Admin can allow developers to connect to Watson Query so that they can develop applications that access and use the data in a Watson Query instance.