Setting BRMS to Use DRDA/DDM Conjoined Mutual Authentication

BRMS network support has been enhanced to support to DRDA/DDM Conjoined Mutual Authentication starting with the January 2020 BRMS PTFs (7.2 - SI71874, 7.3 - SI71875, and 7.4 - SI71876). For more information please reference the section for, Enable DRDA and DDM authentication using user profile's password information from the Client security in a TCP/IP network section of the IBM i Knowledge Center.

To enable conjoined mutual authentication in the BRMS network the following software must
be installed:

  • The BRMS network systems require IBM i 7.2 or later with the December 2019 PTF level.

 Verify or make the following changes to the BRMS network: 

The environment variable QIBM_CONJOINED_MUT_AUTH with value of 'Y' must be added at the system level.

You can add it with the Add Environmental Variable (ADDENVVAR) command:

ADDENVVAR ENVVAR(QIBM_CONJOINED_MUT_AUTH) VALUE('Y') LEVEL(*SYS)  

  • All networked systems must have the same password level specified in the system value QPWDLVL.

  • All networked systems must have the same defined userid and password.

DDM must have password required parameters enabled. Use one of the following commands to change the TCP/IP DDM attributes for secured operations:
CHGDDMTCPA PWDRQD(*YES) Or CHGDDMTCPA PWDRQD(*USRIDPWD)

Because automated secure TCP/IP DDM operations will not function unless authentication passwords can be stored, use the following command to change the QRETSVRSEC system value so that passwords used for authentication can be stored on the system:  

CHGSYSVAL QRETSVRSEC VALUE('1')

The user QBRMS profile requires a password to be set which is the same on all systems in the BRMS network.

The user profile QBRMS must be enabled and set to prohibit interactive sign on. You can do this by running the command:
CHGUSRPRF USRPRF(QBRMS) STATUS(*ENABLED) INLPGM(QBRM/Q1ARLSO) INLMNU(*SIGNOFF)

The application server must be set to require a password.
NOTE: Users must not specify explicitly server authentication entries with the application server configured to require a password.

After ensuring all security and software requirements are met, you are ready to begin using the Conjoined Mutual Authentication features.