0 / 0
User credentials and authentication methods in Watson Query

Connecting and authenticating to the Watson Query service

Watson Query uses your IBM® Cloud credentials to connect to the service.

Authorization

Cloud Pak for Data users who are authorized can connect to and use Watson Query. For more information, see Managing roles for users in Watson Query.

Watson Query roles are used for authorization, independently of group membership. Watson Query uses role-based access control for database-level and object-level authorization. Watson Query follows authorization based on the Db2® Authorities and Privilege model.
Authentication

If you authenticate to Watson Query by using JDBC client applications or you are prompted when you preview assets in the catalog or project, you must specify the API key or auth token.

A Watson Query Managers must explicitly add Cloud Pak for Data users to the Watson Query service in order for these users to authenticate to the service directly. When the Watson Query Managers adds a Cloud Pak for Data user to the service, a Watson Query role is assigned to the user.

Watson Query supports the following authentication methods.

User IDs

When you add a user in Watson Query, the Add IBMid user page prompts for a valid IBMid. This ID is the IBM Cloud ID. The Watson Query User ID is created automatically as dv_<ibm_id>.

JWT tokens

You can connect with JSON Web Tokens (JWT).

JDBC access token
"jdbc:db2://Host_name_or_IP_address/Database_name:accessToken=Access_token;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"

Where Access_token is the Cloud Pak for Data platform or instance token.

CLP access token
Connect to the database server Database_server_name and pass the access token by running the following command from a CLP interface or from a script.
CONNECT TO Database_server_name ACCESSTOKEN Access_token
CLPPlus access token
Connect to the DSN alias (@Data_source_name) and pass the access token by running the following command from a CLPPLUS interface or from a script.
CONNECT @Data_source_name using(accesstoken Access_token)

API keys

You can connect by providing an API key.

ODBC API Key
Use ODBC to connect to Watson Query.
  1. Run the following commands to add configuration details to the db2dsdriver.cfg driver configuration file:
    db2cli writecfg add -database bludb -host <HOSTNAME> -port <SSL PORT>
    db2cli writecfg add -database bludb -host <HOSTNAME> -port <SSL PORT> -parameter "SecurityTransportMode=SSL"
    db2cli writecfg add -database bludb -host <HOSTNAME> -port <SSL PORT> -parameter "Authentication=GSSPLUGIN"
    db2cli writecfg add -dsn watsonquery -database bludb -host <HOSTNAME> -port <SSL PORT>
  2. Run the following command to validate the ODBC configuration:
    db2cli validate -dsn watsonquery -connect -user IBM_SUBSTTOKEN_APIKEY -passwd <API_key>
JDBC API key
"jdbc:db2://Host_name_or_IP_address:DV_SSL_port/Database_name:apiKey=API_key;securityMechanism=15;pluginName=IBMIAMauth;sslConnection=true"
Where API_key is the Cloud Pak for Data platform or instance API key.
CLP API key
Connect to the database server Database_server_name with an API key by running the following command from a CLP interface or from a script.
CONNECT TO Database_server_name APIKEY API_key
CLPPlus API key
Connect to the DSN alias (@data_source_name) with an API key by running the following command from a CLPPLUS interface or from a script.
CONNECT @Data_source_name using(apikey API_key)
Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more