IBM Support

Enable DRDA and DDM authentication using user profile's password

News


Abstract

New option for sending encrypted password on homogeneous DDM/DRDA connections exists at OS/400 7.2.

Content

This improvement is officially named DRDA/DDM Conjoined Mutual Authentication and is only supported for IBM i to IBM i connections. It is enabled through environment variable QIBM_CONJOINED_MUT_AUTH on the Distributed Relational Database Architecture (DRDA) application requester or Distributed Data Management (DDM) source system.

If the application server was configured to require a password before this enhancement, users attempting a DRDA or DDM connection needed to specify a password on the SQL CONNECT statement.  Alternatively, they could specify a server authentication entry containing a password. This required users or system administrators to spend time managing server authentication entries for all target systems or to specify a password at CONNECT time if they connected remotely. If a password was not provided on the SQL CONNECT statement or not specified in a server authentication entry for the application server, the DRDA/DDM connection to the application server requiring a password would fail.

With this enhancement enabled, an IBM i to IBM i DRDA or DDM connection attempt is made to the application server by using the currently signed in user profile and password.
This connection attempt is only performed if the following criteria is met.
  • The environment variable is set to a value of 'Y'.
  • The user did not explicitly specify an ID and password on the SQL CONNECT statement.
  • No valid server authentication entry exists for the connection.

This enhancement is beneficial in networks where users have the same user profile and password combination across multiple systems. This enhancement allows users to not have to specify server authentication entries for 3-part connections.

Requirements:
Both the application requester and application server must be running OS/400 version 7.2 or above to allow this enhancement to work.

This enhancement is enabled when the application requester's job adds an environment variable QIBM_CONJOINED_MUT_AUTH with value of 'Y'. For example:

ADDENVVAR ENVVAR(QIBM_CONJOINED_MUT_AUTH) VALUE(Y)

The application server must be set to require a password (see the CHGDDMTCPA command, PWDRQD keyword).

Both systems are required to use the same password level. The password level is specified in the system value QPWDLVL.

The user must not explicitly specify a user profile and password on the SQL CONNECT statement or in a server authentication entry for the application server configured to require a password.

The application requester relational database directory entry for the application server must have "Allow lower authentication. : " set to *ALWLOWER.


Note: An IBM i to IBM i DRDA or DDM connection, where a password or a server authentication entry
is not specified by the application requester and the support is enabled, results in an extra connection attempt to be made to the application server requiring a password to connect. This extra connection attempt is made with an encrypted user ID and password security mechanism where the user ID is from the user profile making the connection, and the password is retrieved from that user profile. If it is determined that the passwords match, the connection is allowed as normal. If the passwords do not match, if there is a security failure, or if one of the requirements is not met, a CPF22E2 message is signaled, and a PW audit record is written. This invalid connection attempt is counted as one invalid signon attempt for the user profile.


Security audit records are written to the QSYS/QAUDJRN security audit journal when auditing is enabled and the auditing level is configured to include authorization failures. A PW audit record appears when the user ID or password fails to connect.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CRKAA2","label":"Data Access->DDM DRDA"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Version(s)"}]

Document Information

Modified date:
05 July 2021

UID

nas8N1019914