Reusing a local trusted connection through the DSN command processor and DB2I

Db2 establishes a trusted connection if the primary authorization ID or one of the secondary authorization IDs and the job name match a trusted context that is defined in Db2. The user ID that is specified for the ASUSER option goes through the standard authorization processing. If the user ID is authorized, Db2 runs the connection exit routine to associate the primary and secondary IDs.

Db2 then searches to see if the primary authorization ID is allowed to use the trusted connection without authentication. If the primary authorization ID is allowed to use the trusted connection without authentication, Db2 determines if the SECURITY LABEL attribute is defined in the trusted context for the user either explicitly or implicitly. If the SECURITY LABEL attribute is defined with a security label, Db2 verifies the security label with RACF®. If the verification of the security label is successful, the trusted connection is established and used by the user ID that is specified for the ASUSER option. Db2 uses the security label for multilevel security verification for the user.

If the primary authorization ID that is associated with the user ID that is specified for the ASUSER option is not allowed or requires authentication information, the connection request fails. If the security label verification is not successful, the connection request fails.