i5/OS distributed database programming: DRDA connection authorization failure

DRDA connection authorization failure

The error messages given for an authorization failure is SQ30082. The message text is:
Authorization failure on distributed database connection attempt.
The cause section of the message gives a reason code and a list of meanings for the possible reason codes. Reason code 17 means that there was an unsupported security mechanism (SECMEC).
DB2 Universal Database™ for iSeries™ implements several Distributed Relational Database Architecture™ (DRDA^®) SECMECs that an i5/OS^® application requester (AR) can use:

User ID only

User ID with password

Encrypted password security mechanism

Kerberos (V5R2)

The encrypted password is sent only if a password is available at the time the connection is initiated.
The default SECMEC for i5/OS requires user IDs with passwords. If the application requester sends a user ID with no password to a system, with the default security configuration, error message SQ30082 with reason code 17 is given. Solutions for the unsupported security mechanism failure are:

If the client is trusted by the server and authentication is not required, change the DDM TCP/IP server's authentication setting to password not required.

If the client is not trusted by the server and authentication is required, change the application to send either a password or authenticated security token (for example, a Kerberos token).

To change the authentication setting of the DDM TCP/IP server, you can use the Change DDM TCP/IP Attributes (CHGDDMTCPA) command or iSeries Navigator. If you use iSeries Navigator, expand Network > Servers > TCP/IP > DDM, right-click DDM, and select Properties to change the setting.
You can send a password by using the USER/USING form of the SQL CONNECT statement. You can also send a password by using the Add Server Authentication Entry (ADDSVRAUTE) command. The command adds the remote user ID and the password in a server authorization entry for the user profile that you use to make a connection attempt. An attempt is automatically made to send the password encrypted. Prior to V4R5, encrypted passwords could not be sent. Nor could encrypted passwords of the type sent by OS/400^® V4R5 ARs be decrypted.
Note that you have to have system value QRETSVRSEC (retain server security data) set to '1' to be able to store the remote password in the server authorization entry. Attention: You must enter the RDB name on the Add Server Authentication Entry (ADDSVRAUTE) command in uppercase for use with DRDA or the name will not be recognized during the connection processing and the information in the authorization entry will not be used.

Parent topic:
Handling connection request failures for TCP/IP

Related reference

Add Server Authentication Entry (ADDSVRAUTE) command
Change DDM TCP/IP Attributes (CHGDDMTCPA) command