Reusing a local trusted connection through RRSAF

If you use Resource Recovery Services Attachment Facility (RRSAF) to switch to a new user on a trusted connection, Db2 obtains the primary authorization ID and runs the sign-on exit routine.

About this task

Db2 searches to determine if the primary authorization ID is allowed to use the trusted connection without authentication. If the primary authorization ID is allowed, Db2 determines if SECURITY LABEL is explicitly or implicitly defined in the trusted context for the user. If SECURITY LABEL is defined, Db2 verifies the SECURITY LABEL with RACF® by using the RACROUTE VERIFY request. If the SECURITY LABEL verification is successful, the trusted connection is used by the new user.

If the primary authorization ID is not allowed to use the trusted connection without authentication, Db2 returns the connection to an unconnected state. The only action that you can take is to try running the sign-on exit routine again. Until a valid authorization is established, any SQL statement that you issue causes Db2 to return an error.