Simplified DDM and DRDA authentication entry management using group profiles

The Add Server Authentication Entry (ADDSVRAUTE) command adds authentication information used when application requesters attempt to connect to application servers using DDM (Distributed Data Management) or DRDA (Distributed Relational Database Architecture).

Prior to this enhancement, if server authentication entries were to be used to access an application server that required userid and password authentication, a server authentication entry had to be in place for every user on the system requiring access. This enhancement allows DDM and DRDA to take advantage of a common userid and password defined in a server authentication entry under a group profile name or supplemental group profile name. The group profile name or supplemental group profile name is specified on the USRPRF parameter of the ADDSVRAUTE command.
 

System administration of server authentication entries becomes much simpler when a group profile is used. A common user ID and password profile is used when establishing a group profile based DDM or DRDA connection. Remote connection capability is managed by controlling the users that belong to the group together with their authority to the group profile.

Note: An alternative server authentication entry order was added with IBM i 7.1 TR8.  See the section at the bottom for details.

Example:
CRTUSRPRF USRPRF(TESTTEAM) PASSWORD(*NONE)
CRTUSRPRF USRPRF(JIM) PASSWORD(yourpasswordA) GRPPRF(TESTTEAM)
ADDSVRAUTE USRPRF(TESTTEAM) SERVER(QDDMDRDASERVER or <RDB-name>) USRID(youruseridB) PASSWORD(yourpasswordB)

Signon to <system-A> with Jim's user profile

STRSQL
CONNECT TO <system-B>
(where <system-B> is defined in the Relational Database Directory Entries - WRKRDBDIRE)

A connection is attempted to <system-B> with userid = youruseridB and password = yourpasswordB.

Usage notes:
A userid authentication entry takes precedence over a group profile authentication entry as shown in the order or progression below.

The progression of DDM & DRDA server authentication entry checking occurs in the following order. The connection is attempted with the settings of the first match found.

1. Search the authentication entries where USRPRF=user profile and SERVER= application server name
2. Search the authentication entries where USRPRF=user profile and SERVER='QDDMDRDASERVER'
3. Search the authentication entries where USRPRF=group profile and SERVER= application server name
4. Search the authentication entries where USRPRF=group profile and SERVER='QDDMDRDASERVER'
5. Search the authentication entries where USRPRF=supplemental group profile and SERVER= application server name
6. Search the authentication entries where USRPRF=supplemental group profile and SERVER='QDDMDRDASERVER'
7. If no entry has been found in all previous steps, a USERID-only authentication attempt will be used.

See this page for details on the QDDMDRDASERVER special value.

Authorization Requirement:

To use the ADDSVRAUTE command, you must have the following authorizations:

• Security administrator (*SECADM) user special authority
• Object management (*OBJMGT) user special authority

NOTE: With DB2 PTF Group (6.1) SF99601 Level 29 and (7.1) SF99701 Level 21, the GRTOBJAUT step to grant *USE authority, for group members to use the group profiles server authentication entry, is no longer necessary, so that information has been removed from this page.