User credentials and supported authentication methods in Db2

Db2 uses your Cloud Pak for Data credentials to connect to the database service.

Cloud Pak for Data users who are authorized can connect to and use Db2.

Db2 supports the following authentication methods:

Recommendation: Use SSL connections over non-SSL connections. Non-SSL connections should only be considered for legacy applications and are only supported by user name and password authentication.

The following variables are used in the examples:

  • host_name_or_IP_address – The host name or IP address of the Cloud Pak for Data instance.
  • db2_ssl_port – The port number of the Db2 SSL instance.
  • db2_port – The port number of the Db2 instance.
  • database_name – The name of the Db2 database.
  • user_name – The Cloud Pak for Data user name.
  • password – The Cloud Pak for Data password.
  • security_mechanism_id – One of the values in the ID column from the table above.
  • access_token – The Cloud Pak for Data platform token. (Used only in JWT tokens.)
  • api_key – The Cloud Pak for Data platform API key. (Used only in API keys.)

User name and password

When you connect with a user name and password, three different security mechanisms are supported: clear text password, encrypted password, and encrypted user ID and password.

ID Security method Description
3 CLEAR_TEXT_PASSWORD_SECURITY User ID and password
7 ENCRYPTED_PASSWORD_SECURITY User ID and encrypted password
9 ENCRYPTED_USER_AND_PASSWORD_SECURITY Encrypted user ID and encrypted password

If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the encryptionAlgorithm=2 property.

JDBC user name and password

The following examples show the commands to connect with and without secure sockets layer (SSL):

SSL
"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id;sslConnection=true"
Non-SSL
"jdbc:db2://host_name_or_IP_address:db2_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id"
CLP user name and password
Connect to the database server database_server_name with a Cloud Pak for Data user name and password by running the following command at the CLP command prompt or from a script:
CONNECT TO database_server_name USER user_name USING password
CLPPlus user name and password
Connect to the DSN alias (@data_source_name) with a a Cloud Pak for Data user name and password by running the following command at the CLPPLUS command prompt or from a script:
CONNECT user_name/password@data_source_name

JWT tokens

You can connect with JWT tokens.

JDBC access token
"jdbc:db2://host_name_or_IP_address/database_name:accessToken=access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
CLP access token
Connect to the database server database_server_name and pass the access token by running the following command at the CLP command prompt or from a script:
CONNECT TO database_server_name ACCESSTOKEN access_token
CLPPlus access token
Connect to the DSN alias (@data_source_name) and pass the access token by running the following command at the CLPPLUS command prompt or from a script:
CONNECT @data_source_name using(accesstoken access_token)

API keys

You can connect by providing an API key.

JDBC API key
"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:apiKey=user_name:api_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
CLP API key
Connect to the database server database_server_name with an API key by running the following command at the CLP command prompt or from a script:
CONNECT TO database_server_name APIKEY user_name:api_key
CLPPlus API key
Connect to the DSN alias (@data_source_name) with an API key by running the following command at the CLPPLUS command prompt or from a script:
CONNECT @data_source_name using(apikey user_name:api_key)