Dynamic updates to the token configuration file

Dynamic updates allow you to update certificates that are close to their expiry dates without the need for a temporary outage.

The token configuration will be automatically refreshed during TOKEN authentication when the following conditions are met:

The token configuration file on disk has an updated timestamp compared to the in-memory token configuration currently used by Db2®.
Db2 was unable to authenticate the presented TOKEN. This can occur when a new token type or verification certificate was added to the token configuration file.

Db2 will then read the updated token configuration from disk and attempt to authenticate presented token. If the token was successfully authenticated using the on-disk configuration, the in-memory token configuration will be updated and the connection will continue. If the token could not be verified using the on-disk configuration, the in memory configuration will not be updated and an error will be returned.

This behavior can be turned off by setting the Db2 registry variable DB2_REFRESH_TOKEN_CONFIG_ON_FAILURE to false. This registry variable is dynamic and can be updated online.

db2set DB2_REFRESH_TOKEN_CONFIG_ON_FAILURE=false

The ADMIN_REFRESH_CONFIG stored procedure can be used to manually refresh the Db2 token configuration file:

db2 call sysproc.admin_refresh_config('token')

For more information on this procedure, see ADMIN_REFRESH_CONFIG stored procedure.