User credentials and supported authentication methods in Db2

Db2 uses your IBM Software Hub credentials to connect to the database service.

IBM Software Hub users who are authorized can connect to and use Db2.

Db2 supports the following authentication methods.

Username and password
JWT tokens
API keys
Connections to Db2 through external providers

Recommendation: Use SSL connections instead of non-SSL connections. Non-SSL connections can be considered only for legacy applications and are supported only with username and password authentication.

The following variables are used in the examples.

host_name_or_IP_address: The hostname or IP address of the IBM Software Hub instance.
db2_ssl_port: The port number of the Db2 SSL instance.
db2_port: The port number of the Db2 instance.
database_name: The name of the Db2 database.
user_name: The IBM Software Hub username.
password: The IBM Software Hub password.
security_mechanism_id: One of the values in the ID column from Table 1.
access_token: The IBM Software Hub platform token. Used only in JWT tokens.
api_key: The IBM Software Hub platform API key. Used only in API keys.

Username and password

When you connect to the Db2 database service with a username and password, you can supply a clear text password, an encrypted password, or an encrypted user ID and password.

Table 1. Supported security mechanisms for supplying a username and password
ID	Security method	Description
3	CLEAR_TEXT_PASSWORD_SECURITY	User ID and password
7	ENCRYPTED_PASSWORD_SECURITY	User ID and encrypted password
9	ENCRYPTED_USER_AND_PASSWORD_SECURITY	Encrypted user ID and encrypted password

If you are using security mechanism ENCRYPTED_PASSWORD_SECURITY or ENCRYPTED_USER_AND_PASSWORD_SECURITY, you must set the encryptionAlgorithm=2 property.

JDBC username and password

The following examples show the commands to connect with and without the secure sockets layer (SSL).

SSL

Run the following command to connect with the secure sockets layer (SSL).

"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id;sslConnection=true"

Non-SSL

Run the following command to connect without the secure sockets layer (SSL).

"jdbc:db2://host_name_or_IP_address:db2_port/database_name:user=user_name;password=password;securityMechanism=security_mechanism_id"

CLP username and password

Connect to the database server database_server_name with a IBM Software Hub username and password by running the following command at the CLP command prompt or from a script.

CONNECT TO database_server_name USER user_name USING password

CLPPlus username and password

Connect to the DSN alias (@data_source_name) with a IBM Software Hub username and password by running the following command at the CLPPLUS command prompt or from a script.

CONNECT user_name/password@data_source_name

JWT tokens

You can connect to the Db2 database service with JWT tokens.

JDBC access token

"jdbc:db2://host_name_or_IP_address/database_name:accessToken=access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"

CLP access token

Connect to the database server database_server_name and pass the access token by running the following command at the CLP command prompt or from a script.

CONNECT TO database_server_name ACCESSTOKEN access_token

CLPPlus access token

Connect to the DSN alias (@data_source_name) and pass the access token by running the following command at the CLPPLUS command prompt or from a script.

CONNECT @data_source_name using(accesstoken access_token)

API keys

You can connect to the Db2 database service by providing an API key.

JDBC API key

"jdbc:db2://host_name_or_IP_address:db2_ssl_port/database_name:apiKey=user_name:api_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"

CLP API key

Connect to the database server database_server_name with an API key by running the following command at the CLP command prompt or from a script.

CONNECT TO database_server_name APIKEY user_name:api_key

CLPPlus API key

Connect to the DSN alias (@data_source_name) with an API key by running the following command at the CLPPLUS command prompt or from a script.

CONNECT @data_source_name using(apikey user_name:api_key)

Connections to Db2 through external providers

Db2 supports authentication and authorization through any external providers that are supported by IBM Software Hub.

External LDAP: Db2 supports LDAP that is used to manage access to the IBM Software Hub platform. For details, see Connecting to your LDAP server.
Azure Directory: Db2 supports Microsoft Azure data store connections within IBM Software Hub.