Global authentication cache
Db2 can cache user credentials when processing remote TCP/IP connections.
When processing a TCP/IP connection, Db2 authenticates a user ID by using RACF®. If the user ID is successfully authenticated, Db2 caches the user credentials for three minutes during which Db2 reuses the cached credentials for subsequent connection requests from the same user ID. Db2 deletes the cache entries if the password is changed through a DRDA password change request or if the AUTHEXIT_CACHEREFRESH system parameter is set and the user permissions are changed in RACF.
Db2 does not differentiate PassTickets from passwords while caching user credentials.
Caching of MFA based credentials
Db2 stores multi-factor authentication (MFA) based credentials in the global authentication cache for clients that have sysplex workload balancing (WLB) or seamless failover enabled. The credentials can remain unused in the cache for up to two hours.
For clients that do not have sysplex WLB or seamless failover enabled, the MFA_AUTHCACHE_UNUSED_TIME subsystem parameter, controls whether MFA based credentials are stored in , and how long they are allowed to remain cached if unused.