IBM DB2 Connection Details

Introduction

Connector Version

This documentation is based on version 25.0.9368 of the connector.

Get Started

DB2 Version Support

Compatible with DRDA gateway protocol version 5 and newer. May also connect to DB2 server deployed DRDA gateway.

Establish a Connection

Connect to DB2

To connect to DB2, set these properties:

• Server: The name of the server running DB2.
• Port: The port the DB2 server is listening on.
• Database: The name of the DB2 database.

Once you are ready to connect, choose an authentication scheme and set the appropriate properties, as described below.

Authenticate to DB2

The connector supports four different schemes for authenticating to DB2: DB2 user credentials (default), encrypted user credentials, IBM Identity and Access Management (IAM) authentication, and Kerberos.

DB2 User Credentials

To authenticate using user credentials, set these properties:

• AuthScheme: USRIDPWD.
• User: The username of a user with access to the database.
• Password: The password of a user with access to the database.

Encrypted User Credentials

If your server supports secure authentication and you want to authenticate using encrypted user credentials, set this property:

• AuthScheme: EUSRIDPWD

IAM

The connector supports authenticating to the DB2 server using the API key of an application that connects to it, such as Watson Query.

To authenticate using an appropriate API key, set these properties:

• AuthScheme: IBMIAMAuth.
• User: The IBM ID or service ID of a DB2 server user.
• Password: The API key associated with the application that requires access to the DB2 database.

Kerberos

Authenticating to DB2 via Kerberos requires you to define authentication properties and choose how Kerberos should retrieve authentication tickets.

To authenticate to DB2 with Kerberos, set these properties:

• AuthScheme: KERBEROS.
• KerberosKDC: The Kerberos Key Distribution Center (KDC) service used to authenticate the user.
• KerberosUser The principal name for the Kerberos domain controller, specified in the format host/user@realm.
• KerberosSPN (optional): The Kerberos Domain Controller's Service Principal name (SPN).

Finally, to complete the security check set either of the following:

• Password: The password provided for authentication to the database.
• KerberosKeytabFile: The Keytab file containing your pairs of Kerberos principals and encrypted keys.

Retrieve Kerberos Tickets

Kerberos tickets are used to authenticate the requester's identity. The use of tickets instead of formal logins/passwords eliminates the need to store passwords locally or send them over a network. Users are reauthenticated (tickets are refreshed) whenever they log in at their local computer or enter kinit USER at the command prompt.

The connector provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.

MIT Kerberos Credential Cache File

This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.

This option requires that KRB5CCNAME has been created in your system.

To enable ticket retrieval via MIT Kerberos Credential Cache Files:

1. Ensure that the KRB5CCNAME variable is present in your environment.
2. Set KRB5CCNAME to a path that points to your credential cache file. (For example, C:\krb_cache\krb5cc_0 or /tmp/krb5cc_0.) The credential cache file is created when you use the MIT Kerberos Ticket Manager to generate your ticket.

3. To obtain a ticket:

   1. Open the MIT Kerberos Ticket Manager application.
   2. Click Get Ticket.
   3. Enter your principal name and password.
   4. Click OK.

   If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.

The connector uses the cache file to obtain the Kerberos ticket to connect to DB2.

Keytab File

If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.

To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.

User and Password

If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.

To use this method, set the User and Password properties to the user/password combination that you use to authenticate with DB2.

Enable Cross-Realm Authentication

More complex Kerberos environments can require cross-realm authentication where multiple realms and KDC servers are used. For example, they might use one realm/KDC for user authentication, and another realm/KDC for obtaining the service ticket.

To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.

Supported CCSIDs

The connector is compatible with DB2 instances with the following CCSIDs. You may encounter invalid character set errors if your DB2 server uses CCSIDs other than those listed.

• 37
• 273
• 277
• 278
• 280
• 284
• 285
• 290
• 297
• 300
• 301
• 367
• 420
• 437
• 500
• 524
• 737
• 775
• 806
• 813
• 819
• 833
• 834
• 835
• 836
• 837
• 838
• 850
• 852
• 855
• 856
• 857
• 858
• 859
• 860
• 861
• 862
• 863
• 864
• 865
• 866
• 868
• 869
• 870
• 871
• 874
• 875
• 878
• 897
• 912
• 913
• 914
• 915
• 916
• 918
• 920
• 921
• 922
• 923
• 924
• 927
• 930
• 932
• 933
• 935
• 937
• 939
• 942
• 943
• 947
• 948
• 949
• 950
• 951
• 954
• 964
• 970
• 971
• 1006
• 1025
• 1026
• 1027
• 1041
• 1043
• 1046
• 1047
• 1051
• 1088
• 1089
• 1097
• 1098
• 1112
• 1114
• 1115
• 1122
• 1123
• 1124
• 1140
• 1141
• 1142
• 1143
• 1144
• 1145
• 1146
• 1147
• 1148
• 1149
• 1163
• 1200
• 1208
• 1250
• 1251
• 1252
• 1253
• 1254
• 1255
• 1256
• 1257
• 1258
• 1275
• 1280
• 1282
• 1283
• 1284
• 1285
• 1286
• 1351
• 1362
• 1363
• 1364
• 1370
• 1371
• 1380
• 1381
• 1382
• 1383
• 1385
• 1386
• 1388
• 1390
• 1392
• 1399
• 5026
• 5035

Important Notes

Configuration Files and Their Paths

• All references to adding configuration files and their paths refer to files and locations on the Jitterbit agent where the connector is installed. These paths are to be adjusted as appropriate depending on the agent and the operating system. If multiple agents are used in an agent group, identical files will be required on each agent.

Advanced Features

This section details a selection of advanced features of the DB2 connector.

SSL Configuration

Use SSL Configuration to adjust how connector handles TLS/SSL certificate negotiations. You can choose from various certificate formats. For further information, see the SSLServerCert property under "Connection String Options".

Proxy

To configure the connector using private agent proxy settings, select the Use Proxy Settings checkbox on the connection configuration screen.

Log

For an overview of configuration settings that can be used to refine logging, see Logging. Only two connection properties are required for basic logging, but there are numerous features that support more refined logging, which enables you to use the LogModules connection property to specify subsets of information to be logged.

SSL Configuration

Customize the SSL Configuration

To enable TLS, set UseSSL to True.

With this configuration, the connector attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.

To specify another certificate, see the SSLServerCert connection property.

Advanced Configurations Properties

The advanced configurations properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure. Click the links for further details.

Authentication

Session

Kerberos

SSL

SSH

Schema

Miscellaneous

Authentication

This section provides a complete list of authentication properties you can configure.

AuthScheme

Specifies the scheme for authenticating to DB2.

Possible Values

USRIDPWD, EUSRIDPWD, IBMIAMAuth, KERBEROS

Data Type

string

Default Value

USRIDPWD

Remarks

• USRIDPWD (default): Authenticate using user ID and password.
• EUSRIDPWD: Authenticate using an encrypted user ID and encrypted password.
• IBMIAMAuth: Authenticate using a user ID and password (API key) to connect to Watson Query.
• KERBEROS: Use Kerberos authentication. Requires KerberosKDC, KerberosUser and KerberosSPN(optional) to authenticate, and Password OR KerberosKeytabFile to complete the security check.

Server

The name of the DB2 server.

Data Type

string

Default Value

""

Remarks

This property should be set to the name or network address of the server hosting the DB2 database.

Port

The port used to connect to the server hosting the DB2 database.

Data Type

string

Default Value

50000

Remarks

The port used to connect to the server hosting the DB2 database.

Database

The name of the DB2 database.

Data Type

string

Default Value

""

Remarks

The name of the DB2 database running on the specified Server. To connect to the database, you will also need to specify a User and Password for a user authorized to access the database.

User

A database user.

Data Type

string

Default Value

""

Remarks

The username of a user authorized to access the database.

Password

The user's password.

Data Type

string

Default Value

""

Remarks

The password provided for authentication with the database.

UseSSL

This field sets whether SSL is enabled.

Data Type

bool

Default Value

false

Remarks

This field sets whether the connector will attempt to negotiate TLS/SSL connections to the server. By default, the connector checks the server's certificate against the system's trusted certificate store. To specify another certificate, set SSLServerCert.

AlternateServers

This property allows you to specify multiple servers in addition to the one configured in Server and Port. Specify both a server name and port; separate servers with a comma.

Data Type

string

Default Value

""

Remarks

This property allows you to specify the other servers in addition to the one configured in Server and Port. You must specify all servers using AlternateServers, Server, and Port.

Specify both a server name and port in AlternateServers; separate servers with a comma. For example:

Server=localhost;Port=27017;AlternateServers=localhost:27018,localhost:27019;

Session

This section provides a complete list of the Session properties you can configure.

DefaultIsolationLevel

This property specifies the isolation level applied to the connection.

Possible Values

no_commit, read_uncommitted, read_comitted, repeatable_read, serializable

Data Type

string

Default Value

read_uncommitted

Remarks

By default it is "read_uncommitted".

Kerberos

This section provides a complete list of Kerberos properties you can configure.

KerberosKDC

Identifies the Kerberos Key Distribution Center (KDC) service used to authenticate the user. (SPNEGO or Windows authentication only).

Data Type

string

Default Value

""

Remarks

The Kerberos properties are used when using SPNEGO or Windows Authentication. The connector requests session tickets and temporary session keys from the Kerberos KDC service, which is usually co-located with the domain controller.

If KerberosKDC is not specified, the connector tries to detect these properties automatically from the following locations:

• KRB5 Config File (krb5.ini/krb5.conf): If the KRB5_CONFIG environment variable is set and the file exists, the connector obtains the KDC from the specified file. If it is not found there, the connector tries to read from the default MIT location based on the OS: C:\ProgramData\MIT\Kerberos5\krb5.ini (Windows) or /etc/krb5.conf (Linux).
• Java System Properties: Using the system properties java.security.krb5.realm and java.security.krb5.kdc.
• Domain Name and Host: If the Kerberos Realm and Kerberos KDC cannot be inferred from another location, the connector infers them from the configured domain name and host.

KerberosSPN

Identifies the service principal name (SPN) for the Kerberos Domain Controller.

Data Type

string

Default Value

""

Remarks

If the SPN on the Kerberos Domain Controller is not the same as the URL that you are authenticating to, use this property to set the SPN to the KDC's URL.

KerberosUser

Confirms the principal name for the Kerberos Domain Controller, which uses the format host/user@realm.

Data Type

string

Default Value

""

Remarks

If there is a Kerberos principal, that Kerberos principal name should always be used to authenticate to the database.

KerberosKeytabFile

Identifies the Keytab file containing your pairs of Kerberos principals and encrypted keys.

Data Type

string

Default Value

""

Remarks

A keytab (short for “key table”) stores long-term keys for one or more principals. In most cases, end users authenticate to the KDC using their client secret (password). However, in situations where authentication or re-authentication happen using automated scripts and applications, it may be more efficient to use a keytab, which sends passwords to the KDC in encrypted form, automatically.

Keytabs are normally represented by files in a standard format, and named using the format type:value. Usually type is FILE and value is the absolute pathname of the file. The other possible value for type is MEMORY, which indicates a temporary keytab stored in the memory of the current process.

A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. They can be generated using kutil.

For example:

[admin@myhost]# ktutil

ktutil: addent -password -p starlord/myhost.galaxy.com@GALAXY.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for starlord/myhost.galaxy.com:

ktutil: addent -password -p starlord/myhost.galaxy.com@GALAXY.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for starlord/myhost.galaxy.com:

ktutil: addent -password -p starlord/myhost.galaxy.com@GALAXY.COM -k 1 -e des3-cbc-sha1
Password for starlord/myhost.galaxy.com:
ktutil: wkt /path/to/starlord.keytab

To display a keytab, use klist -k.

SSL

This section provides a complete list of SSL properties you can configure.

SSLServerCert

Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

If not specified, any certificate trusted by the machine is accepted.

Certificates are validated as trusted by the machine based on the System's trust store. The trust store used is the 'javax.net.ssl.trustStore' value specified for the system. If no value is specified for this property, Java's default trust store is used (for example, JAVA_HOME\lib\security\cacerts).

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

SSH

This section provides a complete list of SSH properties you can configure.

SSHAuthMode

The authentication method used when establishing an SSH Tunnel to the service.

Possible Values

None, Password, Public_Key

Data Type

string

Default Value

Password

Remarks

• None: No authentication is performed. The current SSHUser value is ignored, and the connection is logged in as anonymous.
• Password: The connector uses the values of SSHUser and SSHPassword to authenticate the user.
• Public_Key: The connector uses the values of SSHUser and SSHClientCert to authenticate the user. SSHClientCert must have a private key available for this authentication method to succeed.

SSHClientCert

A certificate to be used for authenticating the SSHUser.

Data Type

string

Default Value

""

Remarks

SSHClientCert must contain a valid private key in order to use public key authentication. A public key is optional, if one is not included then the connector generates it from the private key. The connector sends the public key to the server and the connection is allowed if the user has authorized the public key.

The SSHClientCertType field specifies the type of the key store specified by SSHClientCert. If the store is password protected, specify the password in SSHClientCertPassword.

Some types of key stores are containers which may include multiple keys. By default the connector will select the first key in the store, but you can specify a specific key using SSHClientCertSubject.

SSHClientCertPassword

The password of the SSHClientCert key if it has one.

Data Type

string

Default Value

""

Remarks

This property is required for SSH tunneling when using certificate-based authentication. If the SSH certificate is in a password-protected key store, provide the password using this property to access the certificate.

SSHClientCertSubject

The subject of the SSH client certificate.

Data Type

string

Default Value

*

Remarks

When loading a certificate the subject is used to locate the certificate in the store.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks the first certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=example@jbexample.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

SSHClientCertType

The type of SSHClientCert private key.

Possible Values

USER, MACHINE, PFXFILE, PFXBLOB, JKSFILE, JKSBLOB, PEMKEY_FILE, PEMKEY_BLOB, PPKFILE, PPKBLOB, XMLFILE, XMLBLOB

Data Type

string

Default Value

PEMKEY_FILE

Remarks

This property can take one of the following values:

SSHServer

The SSH server.

Data Type

string

Default Value

""

Remarks

The SSH server.

SSHPort

The SSH port.

Data Type

string

Default Value

22

Remarks

The SSH port.

SSHUser

The SSH user.

Data Type

string

Default Value

""

Remarks

The SSH user.

SSHPassword

The SSH password.

Data Type

string

Default Value

""

Remarks

The SSH password.

SSHServerFingerprint

The SSH server fingerprint.

Data Type

string

Default Value

""

Remarks

The SSH server fingerprint.

UseSSH

Whether to tunnel the DB2 connection over SSH. Use SSH.

Data Type

bool

Default Value

false

Remarks

By default the connector will attempt to connect directly to DB2. When this option is enabled, the connector will instead establish an SSH connection with the SSHServer and tunnel the connection to DB2 through it.

Schema

This section provides a complete list of schema properties you can configure.

Location

Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path.

Data Type

string

Default Value

%APPDATA%\DB2 Data Provider\Schema

Remarks

The Location property is only needed if you want to either customize definitions (for example, change a column name, ignore a column, etc.) or extend the data model with new tables, views, or stored procedures.

If left unspecified, the default location is %APPDATA%\DB2 Data Provider\Schema, where %APPDATA% is set to the user's configuration directory:

BrowsableSchemas

Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.

Data Type

string

Default Value

""

Remarks

Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.

Tables

Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC.

Data Type

string

Default Value

""

Remarks

Listing all available tables from some databases can take extra time, thus degrading performance. Providing a list of tables in the connection string saves time and improves performance.

If there are lots of tables available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those tables. To do this, specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.

Views

Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC.

Data Type

string

Default Value

""

Remarks

Listing all available views from some databases can take extra time, thus degrading performance. Providing a list of views in the connection string saves time and improves performance.

If there are lots of views available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those views. To do this, specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.

Miscellaneous

This section provides a complete list of miscellaneous properties you can configure.

AllowPreparedStatement

Prepare a query statement before its execution.

Data Type

bool

Default Value

true

Remarks

If the AllowPreparedStatement property is set to false, statements are parsed each time they are executed. Setting this property to false can be useful if you are executing many different queries only once.

If you are executing the same query repeatedly, you will generally see better performance by leaving this property at the default, true. Preparing the query avoids recompiling the same query over and over. However, prepared statements also require the connector to keep the connection active and open while the statement is prepared.

CharBitDataAsString

A Boolean value used to indicate whether parameters, result data, and schema information for iDB2CharBitData and iDB2VarCharBitData objects are treated as String values or as Byte array values.

Data Type

bool

Default Value

false

Remarks

Setting this property to true allows the application to retrieve the data as translated character strings instead of as an array of bytes. The default value is false.

CharBitDataCcsid

An Int32 value used to indicate which CCSID is used to translate iDB2CharBitData and iDB2VarCharBitData types when the CharBitDataAsString property is set to true. This property is ignored when CharBitDataAsString is set to false.

Data Type

int

Default Value

-1

Remarks

The default value is -1, and indicates that the host server job CCSID is used for translation. The link to the DB2 CCSID list is: https://www.ibm.com/docs/en/db2/11.5?topic=miexdc-ccsids-encoding-names The link to the DB2 iSeries/AS400 CCSID list is: https://www.ibm.com/docs/en/i/7.5?topic=information-ccsid-values-defined-i

TruncateString

This property specifies whether to truncate characters when INSERT or UPDATE is executed with a string that exceeds the column size.

Data Type

bool

Default Value

false

Remarks

By default it is False, which means if a string value exceeds the columns size, driver throws an exception.

Schema

The schema used by default.

Data Type

string

Default Value

""

Remarks

Set this property to execute SQL commands without having to specify the schema name.

IgnoreCase

Specifies whether to ignore case in SQL identifiers.

Data Type

bool

Default Value

false

Remarks

When IgnoreCase is set to false (default), SQL identifiers are sent to DB2 in the same case as they appear in the query. For example, SELECT * FROM Table is sent as SELECT * FROM "Table".

When IgnoreCase is set to true, SQL identifiers are converted to uppercase before being sent to DB2. For example, SELECT * FROM Table is sent as SELECT * FROM "TABLE".

This property only takes effect when QueryPassThrough is set to false.

MaxRows

Specifies the maximum rows returned for queries without aggregation or GROUP BY.

Data Type

int

Default Value

-1

Remarks

This property sets an upper limit on the number of rows the connector returns for queries that do not include aggregation or GROUP BY clauses. This limit ensures that queries do not return excessively large result sets by default.

When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting. If MaxRows is set to "-1", no row limit is enforced unless a LIMIT clause is explicitly included in the query.

This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.

Other

Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties.

Data Type

string

Default Value

""

Remarks

This property allows advanced users to configure hidden properties for specialized scenarios. These settings are not required for normal use cases but can address unique requirements or provide additional functionality. Multiple properties can be defined in a semicolon-separated list.

Specify multiple properties in a semicolon-separated list.

Integration and Formatting

QueryPassthrough

This option passes the query to the DB2 server as is.

Data Type

bool

Default Value

false

Remarks

When this is set, queries are passed through directly to DB2.

SwitchMode

This property allows you to specify a switching mode to select a server from AlternateServers as the active server.

Possible Values

None, Failover, LoadBalance

Data Type

string

Default Value

Failover

Remarks

There are three switching modes available: None: Always use the default server. Failover: When the active server cannot be accessed, another server in AlternateServers will be used as the active server. LoadBalance: This option includes the feature of "Failover". In addition, the active server will also be changed after a transcation is committed.

Specify SwitchMode:

SwitchMode=Failover;

SwitchStrategy

This property allows you to specify a switching strategy to select a server from AlternateServers as the active server.

Possible Values

Sequence, Random, BestResponse

Data Type

string

Default Value

Sequence

Remarks

There are three switching strategies available: Sequence: Always use the next server in AlternateServers as the active server. Random: Use a random server in AlternateServers as the active server. BestResponse: Always use the server with the shortest response time.

Specify SwitchStrategy:

SwitchStrategy=Random;

Timeout

Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

Data Type

int

Default Value

60

Remarks

This property controls the maximum time, in seconds, that the connector waits for an operation to complete before canceling it. If the timeout period expires before the operation finishes, the connector cancels the operation and throws an exception.

The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond the timeout value if each paging call completes within the timeout limit.

Setting this property to 0 disables the timeout, allowing operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server. Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.