Global authentication cache

Db2 can cache user credentials when processing remote TCP/IP connections.

Start of change When processing a TCP/IP connection, if the user ID is successfully authenticated by RACF® by using credentials other than multi-factor authentication (MFA) credentials, Db2 caches the user credentials for three minutes. End of change

Start of change For connections that are using credentials other than MFA-based credentials, the global authentication cache takes the timestamp into consideration when the AUTHEXIT_CACHEREFRESH subsystem parameter is set to ALL. If the user re-authenticates within three minutes by using the cache entry match, the cache entry validity is extended for three minutes from the time of the cache entry match. If a client workstation at a particular IP address spawns new connection requests with authentication information and repeatedly creates these connections in less than three minutes each time, the cache entry remains valid until the user profile is changed in RACF. End of change

Db2 does not differentiate PassTickets from passwords while caching user credentials.

Caching of MFA based credentials

Db2 stores multi-factor authentication (MFA) based credentials in the global authentication cache for clients that have sysplex workload balancing (WLB) or seamless failover enabled. The credentials can remain unused in the cache for up to two hours.

For clients that do not have sysplex WLB or seamless failover enabled, the MFA_AUTHCACHE_UNUSED_TIME subsystem parameter, controls whether MFA based credentials are stored in , and how long they are allowed to remain cached if unused.