Technical Blog Post
Abstract
Connect:Direct for Windows: How does the 'proxy.attempt' parameter work?
Body
Connect:Direct for Windows processes incoming user IDs from remote nodes based on how the 'proxy.attempt' parameter is set in the Initparms.
The default setting is 'proxy.attempt=N'.
The best way to answer this question is provide different scenarios.
Scenario 1:
proxy.attempt=N
The Remote ID has both a Functional Authority and Proxy record on your C:D node.
Your C:D node will attempt to validate the incoming ID with the Functional Authority record. If this fails, the process fails. C:D will not try the Proxy record.
Scenario 2:
proxy.attempt=N
The Remote ID has only a Proxy record on your C:D node.
Your C:D node will first look in Functional Authorities for the incoming ID and will not find a record for the incoming ID, C:D will then look in Proxies for a record. Finding it, C:D will map the process to the LocalUserid specified in the Proxy record. C:D will then attempt to validate the LocalUserid in the Functional Authorities records. If this validation for the LocalUserid fails, the process fails.
Scenario 3:
proxy.attempt=Y
The Remote ID has both a Functional Authority and Proxy record on your C:D node.
Your C:D node will first look in the Proxy records. Finding the record, C:D will map the process to the LocalUserid specified in the Proxy record. C:D will then attempt to validate the LocalUserid in the Functional Authorities records. If this validation for the LocalUserid fails, the process fails. C:D will not try the Functional Authorities record for the incoming ID.
Scenario 4:
proxy.attempt=Y
The Remote ID has only a Proxy record on your C:D node.
Your C:D node will first look in the Proxy records. Finding the record, C:D will map the process to the LocalUserid specified in the Proxy record. C:D will then attempt to validate the LocalUserid in the Functional Authorities records. If this validation for the LocalUserid fails, the process fails.
If your C:D node does not find a Proxy record, it will look in Functional Authorities for a record for the remote ID. Not finding one, the process will fail.
"Best practice":
a. Define remote user IDs in the Proxies.
b. Do not define remote user IDs in Functional Authorities.
c. Set 'proxy.attempt=Y'.
UID
ibm11123557