Restrictions for GSS-API authentication plug-ins

The following list describes the restrictions for GSS-API authentication plug-ins.

The default security mechanism is always assumed; therefore, there is no OID consideration.
The only GSS services requested in gss_init_sec_context() are mutual authentication and delegation. The Db2® database manager always requests a ticket for delegation, but does not use that ticket to generate a new ticket.
Only the default context time is requested.
Context tokens from gss_delete_sec_context() are not sent from the client to the server and vice-versa.
Anonymity is not supported.
Channel binding is not supported
If the initial credentials expire, the Db2 database manager does not automatically renew them.
The GSS-API specification stipulates that even if gss_init_sec_context() or gss_accept_sec_context() fail, either function must return a token to send to the peer. However, because of DRDA limitations, the Db2 database manager only sends a token if gss_init_sec_context() fails and generates a token on the first call.