Processing of outbound connection requests

A Db2 subsystem completes a sequence of tasks when sending out a connection request.

Begin figure description. Steps in sending a request from a DB2 subsystem. End figure description. — Figure 1. Steps in sending a request from a Db2 subsystem

The Db2 subsystem that sends the request checks whether the primary authorization ID has the privilege to execute the plan or package.
Db2 determines which value in the LINKNAME column of the SYSIBM.LOCATIONS table matches either the LUNAME column in the SYSIBM.LUNAMES table or the LINKNAME column in the SYSIBM.IPNAMES table. This check determines whether SNA or TCP/IP protocols are used to carry the DRDA request. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption.
When a plan is executed, the authorization ID of the plan owner is sent with the primary authorization ID. When a package is bound, the authorization ID of the package owner is sent with the primary authorization ID. If the USERNAMES column of the SYSIBM.LUNAMES table contains O or B, or if the USERNAMES column of the SYSIBM.IPNAMES table contains O, both IDs are subject to translation under control of the SYSIBM.USERNAMES table. Ensure that these IDs are included in SYSIBM.USERNAMES, or SQLCODE -904 is issued. Db2 translates the ID as follows:
- If a nonblank value of NEWAUTHID is in the row, that value becomes the new ID.
- If NEWAUTHID is blank, the ID is not changed.
If the SYSIBM.USERNAMES table does not contain a new authorization ID to which the primary authorization ID is translated, the request is rejected with SQLCODE -904.

If the USERNAMES column does not contain O or B, the IDs are not translated.
SECURITY_OUT is checked for outbound security options as shown in the following diagram.
Figure 2. Details of Step 3
A
Already verified. No password is sent with the authorization ID. This option is valid only if the server accepts already verified requests.
- For SNA, the server must have specified A in the SECURITY_IN column of SYSIBM.LUNAMES.
- For TCP/IP, the server must have specified YES in the TCP/IP ALREADY VERIFIED field of installation panel DSNTIP5.
R

RACF® PassTicket. If the primary authorization ID was translated, that translated ID is sent with the PassTicket.

P
Password. The outbound request must be accompanied by a password:
- If the requester is Db2 for z/OS® and uses SNA protocols, passwords can be encrypted if you specify Y in the ENCRYPTPSWDS column of SYSIBM.LUNAMES. If passwords are encrypted, the password is obtained from RACF. If passwords are not encrypted, the password is obtained from the PASSWORD column of SYSIBM.USERNAMES.
- If the requester uses TCP/IP protocols, the password is obtained from the PASSWORD column of SYSIBM.USERNAMES. If the Integrated Cryptographic Service Facility is enabled and properly configured and the server supports encryption, the password is encrypted.
  Recommendation: Use RACF PassTickets to avoid sending unencrypted passwords over the network.
D

User ID and security-sensitive data encryption. No password is sent with the authorization ID. If the Integrated Cryptographic Service Facility (ICSF) is enabled and properly configured and the server supports encryption, the authorization ID is encrypted before it is sent. If the ICSF is not enabled or properly configured, SQL return code –904 is returned. If the server does not support encryption, SQL return code –30082 is returned.

E

User ID, password, and security-sensitive data encryption. If the ICSF is enabled and properly configured and the server supports encryption, the password is encrypted before it is sent. If the ICSF is not enabled or properly configured, SQL return code –904 is returned. If the server does not support encryption, SQL return code –30082 is returned.
Security options D and E control security-sensitive data encryption. Security-sensitive data is any input or output data. Examples are rows that are retrieved from a remote server, rows that are sent to the remote server, and SQL statement text.
Send the request.