News
Abstract
This document details an option to automatically send encrypted password on homogeneous DDM/DRDA connections.
Content
If the application server was configured to require a password before this enhancement, users attempting a DRDA or DDM connection needed to specify a password on the SQL CONNECT statement. Alternatively, they could specify a server authentication entry containing a password. This required users or system administrators to spend time managing server authentication entries for all target systems or to specify a password at CONNECT time if they connected remotely. If a password was not provided on the SQL CONNECT statement or not specified in a server authentication entry for the application server, the DRDA/DDM connection to the application server requiring a password would fail.
With this enhancement enabled, an IBM i to IBM i DRDA or DDM connection attempt is made to the application server by using the currently signed in user profile and password.
- The environment variable is set to a value of 'Y'.
- The user did not explicitly specify an ID and password on the SQL CONNECT statement.
- No valid server authentication entry exists for the connection.
This enhancement is beneficial in networks where users have the same user profile and password combination across multiple systems. This enhancement allows users to not have to specify server authentication entries for 3-part connections.
Requirements:
Both the application requester and application server must be running OS/400 version 7.2 or above to allow this enhancement to work.
This enhancement is enabled when the application requester's job adds an environment variable QIBM_CONJOINED_MUT_AUTH with value of 'Y'. For example:
ADDENVVAR ENVVAR(QIBM_CONJOINED_MUT_AUTH) VALUE(Y)
The application server must be set to require a password (see the CHGDDMTCPA command, PWDRQD keyword).
The user must not explicitly specify a user profile and password on the SQL CONNECT statement or in a server authentication entry for the application server configured to require a password.
The application requester relational database directory entry for the application server must have "Allow lower authentication. : " set to *ALWLOWER.
1. For v730 and earlier IBM i clients, the following connectivity is allowed:
* QPWDLVL 0,1 clients can connect with:
· All QPWDLVL 0,1 servers.
* QPWDLVL 2,3 clients can connect with:
· All QPWDLVL 2,3 servers.
2. For v740 IBM i clients, the following connectivity is allowed:
* QPWDLVL 0,1 clients can connect with:
· QPWDLVL 0,1 IBM i v730 and earlier servers.
· QPWDLVL 0,1,2 IBM i v740 servers.
The Display Authorized Users (DSPAUTUSR) command on the QPWDLVL 2 server system must show that the user has a Level 0 or 1 password.
· QPWDLVL 0,1 IBM i v750 and later servers.
* QPWDLVL 2,3 clients can connect with:
· QPWDLVL 2,3 IBM i v730 and earlier servers.
· QPWDLVL 0,1,2,3 IBM i v740 servers.
The Display Authorized Users (DSPAUTUSR) command on the QPWDLVL 2,3 client system must show that the user has a Level 0
· QPWDLVL 2,3 IBM i v750 and later servers
* QPWDLVL 4 clients can connect with:
· QPWDLVL 4 IBM i v750 and later servers.
3. For v750 and later IBM i clients, the following connectivity is allowed:
* QPWDLVL 0,1 clients can connect with:
· QPWDLVL 0,1 IBM i v730 and earlier servers.
· QPWDLVL 0,1,2 IBM i v740 servers.
The Display Authorized Users (DSPAUTUSR) command on the QPWDLVL 2 server system must show that the user has a Level 0
· QPWDLVL 0,1 IBM i v750 and later servers.
* QPWDLVL 2,3 clients can connect with:
· QPWDLVL 2,3 IBM i v730 and earlier servers.
· QPWDLVL 0,1,2,3 IBM i v740 servers.
The Display Authorized Users (DSPAUTUSR) command on the QPWDLVL 2,3 client system must show that the user has a Level 0 or 1 password when connecting to a QPWDLVL 0,1 server system.
· QPWDLVL 2,3 IBM i v750 and later servers.
* QPWDLVL 4 clients can connect with:
· QPWDLVL 4 IBM i v750 and later servers.
Note: An IBM i to IBM i DRDA or DDM connection, where a password or a server authentication entry is not specified by the application requester and the support is enabled, results in an extra connection attempt to be made to the application server requiring a password to connect. This extra connection attempt is made with an encrypted user ID and password security mechanism where the user ID is from the user profile making the connection, and the password is retrieved from that user profile. If it is determined that the passwords match, the connection is allowed as normal. If the passwords do not match, if there is a security failure, or if one of the requirements is not met, a CPF22E2 message is signaled, and a PW audit record is written. This invalid connection attempt is counted as one invalid signon attempt for the user profile.
Security audit records are written to the QSYS/QAUDJRN security audit journal when auditing is enabled and the auditing level is configured to include authorization failures. A PW audit record appears when the user ID or password fails to connect.
Related Information
Was this topic helpful?
Document Information
Modified date:
03 June 2025
UID
nas8N1019914