User credentials and supported authentication methods in Db2
Db2 uses your Cloud Pak for Data credentials to connect to the database service.
Cloud Pak for Data users who are authorized can connect to and use Db2.
Db2 supports the following authentication methods:
Recommendation: Use SSL connections over non-SSL connections. Non-SSL
connections should only be considered for legacy applications and are only supported by user name
and password authentication.
The following variables are used in the examples:
- host_name_or_IP_address – The host name or IP address of the Cloud Pak for Data instance.
- db2_ssl_port – The port number of the Db2 SSL instance.
- db2_port – The port number of the Db2 instance.
- database_name – The name of the Db2 database.
- user_name – The Cloud Pak for Data user name.
- password – The Cloud Pak for Data password.
- security_mechanism_id – One of the values in the ID column from the table above.
- access_token – The Cloud Pak for Data platform token. (Used only in JWT tokens.)
- api_key – The Cloud Pak for Data platform API key. (Used only in API keys.)
User name and password
When you connect with a user name and password, three different security mechanisms are supported: clear text password, encrypted password, and encrypted user ID and password.
| ID | Security method | Description |
|---|---|---|
| 3 | CLEAR_TEXT_PASSWORD_SECURITY | User ID and password |
| 7 | ENCRYPTED_PASSWORD_SECURITY | User ID and encrypted password |
| 9 | ENCRYPTED_USER_AND_PASSWORD_SECURITY | Encrypted user ID and encrypted password |
If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or
ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the encryptionAlgorithm=2
property.
- JDBC user name and password
-
The following examples show the commands to connect with and without secure sockets layer (SSL):
- SSL
-
"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id;sslConnection=true" - Non-SSL
-
"jdbc:db2://host_name_or_IP_address:db2_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id"
- CLP user name and password
- Connect to the database server database_server_name with a Cloud Pak for Data user name and password by running the following
command at the CLP command prompt or from a
script:
CONNECT TO database_server_name USER user_name USING password - CLPPlus user name and password
- Connect to the DSN alias (
@data_source_name) with a a Cloud Pak for Data user name and password by running the following command at the CLPPLUS command prompt or from a script:CONNECT user_name/password@data_source_name
JWT tokens
You can connect with JWT tokens.
- JDBC access token
-
"jdbc:db2://host_name_or_IP_address/database_name:accessToken=access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true" - CLP access token
- Connect to the database server database_server_name and pass the access token
by running the following command at the CLP command prompt or from a
script:
CONNECT TO database_server_name ACCESSTOKEN access_token - CLPPlus access token
- Connect to the DSN alias (
@data_source_name) and pass the access token by running the following command at the CLPPLUS command prompt or from a script:CONNECT @data_source_name using(accesstoken access_token)
API keys
You can connect by providing an API key.
- JDBC API key
-
"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:apiKey=user_name:api_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true" - CLP API key
- Connect to the database server database_server_name with an API key by
running the following command at the CLP command prompt or from a
script:
CONNECT TO database_server_name APIKEY user_name:api_key - CLPPlus API key
- Connect to the DSN alias (
@data_source_name) with an API key by running the following command at the CLPPLUS command prompt or from a script:CONNECT @data_source_name using(apikey user_name:api_key)