IBM Data & AI

 Welcome to the IBM Data & AI Ideas Portal for Clients! 

We welcome and appreciate your feedback on IBM Data & AI Products to help make them even better than they are today!
Before you submit an idea, please perform a search first as a similar idea may have already been reported in the portal.  If a related idea is not yet listed, please create a new idea and include with it a description which includes expected behavior as well as why having this feature would improve the service and how it would address your use case.
IBM Employees:
Clients:
  • Our team welcomes any feedback  and suggestions you have for improving our offerings / products!  This forum allows us to connect your offering / product improvement ideas with IBM product and engineering teams.
  • If you have not registered on this portal please click on the following link and register.  To complete registration you will need to open the email you will receive from Aha to confirm your identity. http://ibm.biz/IBM-Data-and-AI-Portal-Register
Additional Information:
  • The shorter URL for this site is: https://ibm.biz/IBM-Data-and-AI-Ideas
  • To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps
  • Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases
  • Please do not use the Ideas Portal for reporting bugs - we ask that you report bugs or issues with the product by contacting IBM support.

.net Trusted Connection String for DB2 Z/OS

In an attempt to build a .net program that takes advantage of ID propagation in Z/OS for RACF. We are trying to connect to DB2 on Z/OS from a Windows client using DB2 connect. Specifically, we are trying to create a trusted connection with the IBM Data Server Provider for .NET.

The problem that we are having is that DB2 doesn't understand that we are passing it a distributed ID. This is because in order for DB2 to understand that a distributed ID is being used a registry must be passed as well. There is no keyword option for this in the connect string for .net.
Example from:
http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.swg.im.dbclient.adonet.doc/doc/c0053347.html?lang=en

database=db;server=server1:446;
UserID=userapp1;Password=passapp1;
TrustedContextSystemUserID=masteruser;TrustedContextSystemPassword=masterpassword

We have all the other pieces turned on and functioning. We have verified with IBM that the trusted context is setup in DB2 properly. The RACF ID propagation facility class has been turned and the ID mapped. This is the one piece that we are missing.

Per the Redbook:
Identity Propagation for Z/OS page 35
DB2 10 for z/OS Identity Propagation works only in a trusted context. The end user's identity
consists of a distinguished name and registry name. Using a trusted connection, DB2 for
z/OS detects the registry name and allows the distributed identity to be passed onto RACF to
be mapped.

Also page 36:
The registry name is not verified by RACF, however, it must be supplied by the distributed
application, otherwise DB2 will not recognize the distributed identity and will be treated as a
normal RACF user ID.

Which is what we believe we are seeing when currently trying to connect without passing a registry. The program will work when passing a RACF ID, but when passing a distributed ID after the trusted connection has been made it tries to verify that the ID being passed is a RACF ID. Instead, it should be looking in the RACF map class for this distributed ID to be mapped to a RACF ID.

We need the ability to pass a registry to DB2 so that it will understand we are passing it a distributed ID. This ability is already available in Java.
  • Guest
  • Dec 28 2018
  • Needs review
Why is it useful?
Who would benefit from this IDEA?
How should it work?
Idea Priority Urgent
Priority Justification
Customer Name SFBLI
Submitting Organization
Submitter Tags
  • Attach files
  • and 1 more

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions