Authenticating with the database

Db2® for z/OS® Development supports several methods of authenticating with a database system. Learn how to set up a login method and how various login methods work with other preferences and functions of Db2 for z/OS Development.

Choosing a login method

Use the General page of the database connection properties window to choose a database login method.

In the Remote Systems view, expand a z/OS system connection, and then expand the Db2 for z/OS subsystem.
Expand Db2 for z/OS Connections.
Right-click a connection name and select Properties.
In the navigation pane on the left, click General.
From the Login method list, choose one of these authentication methods:
- Password: Authenticate with the database server by using a RACF user ID and password. The default user ID and password are the ones that you use to connect to the z/OS system. You can select the Override check boxes to specify a different user ID and password. If the overridden password field is left blank, Db2 for z/OS Development will prompt you for a password each time a connection is established or re-established.
- PassTicket: Authenticate with the database server by using a RACF PassTicket. The default user ID is the one that you use to connect to the z/OS system. You can select the Override checkbox to override the user ID. Consult with your Db2 system programmer to determine if PassTickets are supported. PassTicket values are requested only when needed, and any entered values are temporary and not stored.
- MFA Token: Use multifactor authentication to connect to the database server. When you select this option, you log in to the database server with a user ID and password (or overrides), and also provide an MFA token when you connect. MFA tokens are usually one-time use or have a short use time. Therefore, you might need to enter a new MFA token for operations that require opening a dedicated connection such as starting a debug session.
  If your environment is configured for MFA-only login, you can log in without a password by selecting the checkbox labeled Use multifactor authentication without a password. When this checkbox is selected, the password fields are hidden, and only the MFA token is required. If the checkbox is cleared and the password field is left blank, you must enter both the password and the MFA token. All prompted values are masked and not stored.
- Remember: When a password, MFA token, or PassTicket is requested, a prompt appears automatically. Selecting Cancel option stops the connection attempt quietly, although some operations might display a message about failed connectivity.

Password and PassTicket authentication considerations

When you authenticate with the database server by using a RACF user ID and password or PassTicket, you can also use these features of Db2 for z/OS Development.

Automatically connect on product startup. To automatically connect when the product starts, open the Preferences window and select Remote Systems. Then, select the Automatically connect on startup checkbox and click Apply and Close. This preference takes effect after you restart the workspace.
If the connection to the database server is interrupted or altered, for example, by changing the Db2 for z/OS Preferences, then Db2 for z/OS Development attempts to reconnect automatically.
To connect one or more database connections, right-click the Db2 for z/OS subsystem of the remote system connection, and click Connect All. The client attempts to connect to all defined database connections. If any connection errors occur, the database connections that have errors are flagged with . To open the error message, right-click the flagged connection and click Show Connection Error.
The client uses the Connection keep alive setting in the Db2 for z/OS Preferences page to periodically poll the active connections to maintain connectivity. If one or more connections begins to fail, it opens a message window to display the connection errors.

MFA Token authentication considerations

MFA Tokens are single-use or short-term (one minute or less) authentication tokens that you enter in conjunction with a user ID and password. When a database connection is configured for multifactor authentication, it prompts you to enter an MFA token when you connect to the database or test a database connection. MFA tokens are strings generated by an authenticator application, such as IBM Verify, for identifying yourself to a system, such as a Db2 for z/OS database server.

Actions that consume MFA tokens

Several Db2 for z/OS Development operations might consume an MFA token and prompt you to enter a token if multifactor authentication is configured.

Test a database connection using the Test Connection button.
Connect to a Db2 for z/OS database, either manually or automatically when a database action, such as Run SQL, Deploy Stored Procedure, or navigating the Catalog, is started.
Starting a debug stored procedure session.
Running a tuning service job.

Known limitations

Use of multifactor authentication with Tuning Services might not function correctly. If you experience MFA tokens expiring while using Tuning Services, try using the Db2 for z/OS MFA_AUTHCACHE_UNUSED_TIME configuration parameter to enable a longer token life. For more information about this parameter, see MFA AUTH UNUSED TIME field.
If MFA tokens are configured for a short expiration time, the database server established two connections when initially connecting to the database and reserves the second connection for debug sessions to prevent having to enter a new MFA token. If the secondary connection fails to be established, you might be prompted to enter a new MFA token each time you start a debug session.
Auto connect is not supported for authentication by MFA token. Only manual or on-demand connections are supported with multifactor authentication.
Connections that use MFA or PassTickets do not support tuning profile creation. Auto-connect on startup is not available for MFA authentication. Only manual or on-demand connections are supported.