IBM Support

DDM Server Authentication Entry Logic

Question & Answer


Question

How Does DDM Determine Which Server Authentication Entry to Use?

Cause

IBM i DDM/DRDA clients which fail to authenticate to other IBM i target systems with error:
CPF9190 - Authorization failure on DRDA/DDM TCP/IP connection attempt.
...should review the chart below and understand how credentials are (or are not) being provided to the target system.

Answer

The following flowchart explains how IBM i determines which server authentication entry (SVRAUTE) to use for a DDM connection. There are several variables at play starting with whether the DDM file is defined by using a relational database name (*RDB) or a host name or TCP/IP address. If the DDM object is defined by using a relational database entry, there is an extra environment variable, QIBM_QDDMDRDA_SRVNAM_PRIORITY that affects the order in which server authentication entries are checked.  Additionally, when the environment variable QIBM_CONJOINED_MUT_AUTH is set to Y and the target system requires a password, then the check for server authentication entries stops at the first server authentication entry found.  If that server authentication entry does not have a stored password, the user profile that the job is using and the password for that profile are sent to the target system.

Flowchart showing logic for determining which server authentication entry to use.


 

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Data Access","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

More support for:
IBM i

Software version:
Version Independent

Operating system(s):
IBM i

Document number:
688131

Modified date:
25 January 2024

UID

nas8N1022601

Manage My Notification Subscriptions

Page Feedback