SYSIBM.IPNAMES columns

A

Specifies the default already verified option, which means that outbound connection requests contain an authorization ID and no password.

The value that is used for an outbound request is either the Db2 user's authorization ID or a translated ID, depending on the value in the USERNAMES column.

The authorization ID is not encrypted when it is sent to the partner.

For otherwise equivalent behavior with encryption, see 'D'.

D

Specifies the user ID and security-sensitive data encryption option, which means that outbound connection requests contain an authorization ID and no password.

The authorization ID that is used for an outbound request is either the Db2 user's authorization ID or a translated ID, depending on the USERNAMES column.

This option specifies that the user ID and the security-sensitive data are to be encrypted. Security-sensitive data is any input or output data. Examples are rows that are retrieved from a remote server, rows that are sent to the remote server, and SQL statement text.

For otherwise equivalent behavior if you do not require encryption, see 'A'.

E

Specifies the user ID, password, and security-sensitive data encryption option, which means connection requests contain an authorization ID and a password.

This option indicates that the user ID, password, and security-sensitive data are to be encrypted. Security-sensitive data is any input or output data. Examples are rows that are retrieved from a remote server, rows that are sent to the remote server, and SQL statement text.

For otherwise equivalent behavior if you do not require security-sensitive data encryption, see 'P'.

The password is obtained from the SYSIBM.USERNAMES table.

If you specify 'E' for SECURITY OUT, the supported USERNAMES column values depend on the LOCATIONS.TRUSTED column value:

• If the LOCATIONS.TRUSTED column value is 'Y', the USERNAMES value can be 'O' or 'S'.
• If the LOCATIONS.TRUSTED column value is 'N', the USERNAMES must be 'O'.

P

Specifies the password security option, which means that outbound connection requests contain an authorization ID and a password.

The password is obtained from the SYSIBM.USERNAMES table.

If you specify 'P' and the server supports encryption, the user ID and the password are encrypted. If the server does not support encryption, the user ID and the password are sent to the partner in clear text.

For otherwise equivalent behavior if you also need to encrypt security-sensitive data, see 'E'.

If you specify 'P' for SECURITY OUT, the supported USERNAMES column values depend on the LOCATIONS.TRUSTED column value:

• If the LOCATIONS.TRUSTED column value is 'Y', the USERNAMES value can be 'O' or 'S'.
• If the LOCATIONS.TRUSTED column value is 'N', the USERNAMES value must be 'O'.

R

Specifies the RACF® PassTicket option, which means that outbound connection requests contain a user ID and a RACF PassTicket.

When a RACF PassTicket is generated, the LINKNAME column value is used as the RACF PassTicket application name and must match the following at the target server.

• LUNAME - if the remote site is a Db2 subsystem that is defined with only an LUNAME value and no GENERIC LU name value or IPNAME value
• GENERIC - if the remote site is a Db2 subsystem that is defined with a GENERIC LU name value in addition to an LUNAME value but no IPNAME value
• IPNAME - if the remote site is a Db2 subsystem that is defined with an IPNAME value that triggers the remote Db2 subsystem's DDF to activate only its TCP/IP communications support.

The value that is used for an outbound request is either the Db2 user's authorization ID or a translated ID, depending on the value in the USERNAMES column. The translated ID is used to build the RACF PassTicket.

Important: Do not specify R for CONNECT statements with a USER parameter. If a user ID and password are explicitly specified in a CONNECT statement, Db2 does not translate them.

The authorization ID is not encrypted when it is sent to the partner.

FL 505 Specifies the authentication token option, which means that an outbound connection request contains an authentication token only, without any other user credential.

A Db2 requester can use the value in the LINKNAME column to invoke RACF to obtain an authentication token based on the current authentication environment. The requester passes the token in the outbound connection request to the remote Db2 server. The server presents the token to RACF for validation. Upon successful validation of the token, the Db2 server authenticates the connection request.

With the authentication token, the outbound request cannot be configured to establish the connection as trusted. The authorization token exchange is not encrypted unless the outbound connection is created as a secure connection based on TCP/IP or AT-TLS rules.

O

The outbound ID is subject to translation. Rows in the SYSIBM.USERNAMES table are used to perform ID translation. If a connection to any remote server is to be established as trusted, a row in the SYSIBM.USERNAMES table is used to obtain the system authorization ID.

FL 505 If you use the authentication token option and set SECURITY_OUT='T', make sure that the translated user ID exists on the requesting system.

S

The system authorization ID used within a trusted context is obtained from the SYSIBM.USERNAMES table. If the system authorization ID that is specified in the AUTHID column is different from the primary authorization ID, Db2 sends the user switch request on behalf of the primary authorization ID after successfully establishing the trusted connection.

blank

No translation is done.