Establishing remote trusted connections by Db2 for z/OS requesters
A Db2 for z/OS® requester can establish a trusted connection to a remote location by setting up the new TRUSTED column in the SYSIBM.LOCATIONS table.
About this task
How Db2 obtains the system authorization ID to establish the trusted connection depends on the value of the SECURITY_OUT option in the SYSIBM.IPNAMES table. The SECURITY_OUT option in the SYSIBM.IPNAMES table must be 'E', 'P', or 'R'.
When the z/OS requester receives an SQL CONNECT with or without the USER and USING clauses to a remote location or if an application references a remote table or procedure, Db2 looks at the SYSIBM.LOCATIONS table to find a matching row. If Db2 finds a matching row, it checks the TRUSTED column. If the value of TRUSTED column is set to 'Y', Db2 looks at the SYSIBM.IPNAMES table. The values in the SECURITY_OUT column and USERNAMES column are used to determine the system authorization ID as shown in the following table.
| IPNAMES.SECURITY_OUT values | IPNAMES.USERNAMES value | Result |
|---|---|---|
| 'P' or 'E' | 'S' | The system authorization ID credentials that are used to establish the trusted connection are obtained from the row in the SYSIBM.USERNAMES table with TYPE 'S'. Db2 sends the user switch request on behalf of the primary authorization ID without authentication under two conditions. First, the system authorization ID value in the AUTHID column is different from the primary authorization ID. Second, a trusted connection is successfully established. |
| 'P' or 'E' | 'O' | If a row with TYPE 'S' is defined in the SYSIBM.USERNAMES table, the system authorization ID credentials that are used to establish the trusted connection are obtained from the row. After successfully establishing the trusted connection, Db2 obtains the translated authorization ID information for the primary authorization ID from the row in the SYSIBM.USERNAMES table with TYPE 'O'. Db2 sends the user switch request on behalf of the primary authorization ID with authentication. |
| 'R' | blank | If a row with TYPE 'S' is not defined in the SYSIBM.USERNAMES table, Db2 obtains the system authorization ID information that is used to establish the trusted connection from the row in the SYSIBM.USERNAMES table with TYPE 'O'. |
| 'R' | 'S' | The primary authorization ID is used as the system authorization ID to establish the trusted connection. |
| 'R' | 'O' | The system authorization ID that is used to establish the trusted connection is obtained from the row in the SYSIBM.USERNAMES table with TYPE='S'. After establishing the trusted connection successfully, Db2 sends the user switch request on behalf of the primary authorization ID without authentication. |
If the IPNAMES.SECURITY_OUT option is not correctly set up, Db2 returns an error.
For more information about the supported configurations for IPNAMES.SECURITY_OUT and related column values, see SYSIBM.IPNAMES columns.