Authentication CLI/ODBC configuration keyword

Specifies the type of authentication to be used with file DSN or DSN-less connectivity.

Important: The SERVER_ENCRYPT and SERVER_ENCRYPT_AES authentication types are deprecated and disabled in strict FIPS mode. For more information on the deprecation, see Authentication methods for your server.
db2cli.ini keyword syntax:
Authentication = CERTIFICATE|SERVER | SERVER_ENCRYPT | SERVER_ENCRYPT_AES | KERBEROS | GSSPLUGIN | TOKEN
Note: When a connection is established by using TLS, clients that are cataloged with the SERVER_ENCRYPT authentication type are able to connect to servers that are configured with the SERVER authentication type.
Default setting:
Not specified
Usage notes:
The Authentication keyword can be set in the data source section ([data source]) of the db2cli.ini file, or in a connection string.
When you set the Authentication keyword, you must also set the following CLI/ODBC keywords in the db2cli.ini file:
  • Database
  • Protocol.

If the Protocol keyword is set to IPC (Protocol=IPC), you must also set the Instance keyword.

If the Protocol keyword is set to TCPIP (Protocol=TCPIP), you must set the following CLI/ODBC keywords in the db2cli.ini file:
  • Port
  • Hostname.

If the Authentication keyword is set to KERBEROS, you must also set the TargetPrinciple keyword. When the Authentication keyword is set to Kerberos, you can optionally specify the KRBPlugin keyword. If the KRBPlugin keyword is not specified, the default IBMkrb5 plug-in is used.

You can specify the SSL client authentication by setting the Authentication keyword to the CERTIFICATE value in the db2cli.ini for connection to Db2® for z/OS® servers with following conditions:
  • A connection to the server must be established with the CLI driver. The CERTIFICATE authentication is specific to CLI, and ODBC connections.
  • Db2 for z/OS server must be Version 10 or later. If you are connecting to Db2 for z/OS Version 10 server, Known Issue PM53450 must be installed.
  • Connections to Db2 for z/OS server must be a direct connection between Db2 client and supported z/OS server. You cannot use Db2 Connect server as a gateway to establish connection to target z/OS servers.
  • The SSLClientLabel keyword must be set if more than one personal certificate or more than one key entry exists in the Keystore or Microsoft Certificate Store.
  • A connection to supported Db2 for z/OS servers must be made with the application connection string, the IBM® data server driver configuration file or the db2cli.ini file. You cannot use the local database catalog to establish connections to Db2 for z/OS servers.
  • You cannot specify a user password.