Establishing a Connection
The CData MCP Server for DB2 defines each connection to DB2 as a named configuration that Claude can use when sending natural language queries.
You create and manage these configurations using the MCP Configuration Tool. The tool automatically handles formatting, storage, and registration with Claude Desktop.
Understanding Connection Configurations
Each connection configuration is stored in a .mcp file. This file includes the details needed to initialize the connector when Claude starts a session.
- On Windows, configuration files are stored in "~/AppData/Roaming/CData/DB2 Data Provider/".
- On macOS, configuration files are stored in "~/Library/Application Support/CData/DB2 Data Provider/".
The .mcp file is a text file that contains a list of connection properties and a timestamp. For example:
#Tue May 20 15:48:40 EDT 2025 AuthScheme=Basic User=myUser Password=myPassword Security Token=myToken
The configuration tool handles these settings automatically. Each saved configuration enables Claude to launch a dedicated MCP Server instance with the correct connector and options. Manual file editing is not required.
Connecting to DB2
To connect to DB2, set these properties:- Server: The name of the server running DB2.
- Port: The port the DB2 server is listening on.
- Database: The name of the DB2 database.
Once you are ready to connect, choose an authentication scheme and set the appropriate properties, as described below.
Authenticating to DB2
The server supports four different schemes for authenticating to DB2: DB2 user credentials (default), encrypted user credentials, IBM Identity and Access Management (IAM) authentication, and Kerberos.
DB2 User Credentials
To authenticate using user credentials, set these properties:- AuthScheme: USRIDPWD.
- User: The username of a user with access to the database.
- Password: The password of a user with access to the database.
Encrypted User Credentials
If your server supports secure authentication and you want to authenticate using encrypted user credentials, set this property:- AuthScheme: EUSRIDPWD
IAM
The server supports authenticating to the DB2 server using the API key of an application that connects to it, such as Watson Query.
To authenticate using an appropriate API key, set these properties:
- AuthScheme: IBMIAMAuth.
- User: The IBM ID or service ID of a DB2 server user.
- Password: The API key associated with the application that requires access to the DB2 database.
Kerberos
Authenticating to DB2 via Kerberos requires you to define authentication properties and choose how Kerberos should retrieve authentication tickets.To authenticate to DB2 with Kerberos, set these properties:
- AuthScheme: KERBEROS.
- KerberosKDC: The Kerberos Key Distribution Center (KDC) service used to authenticate the user.
- KerberosUser The principal name for the Kerberos domain controller, specified in the format host/user@realm.
- KerberosSPN (optional): The Kerberos Domain Controller's Service Principal name (SPN).
Finally, to complete the security check set either of the following:
- Password: The password provided for authentication to the database.
- KerberosKeytabFile: The Keytab file containing your pairs of Kerberos principals and encrypted keys.
Retrieving Kerberos Tickets
Kerberos tickets are used to authenticate the requester's identity. The use of tickets instead of formal logins/passwords eliminates the need to store passwords locally or send them over a network. Users are reauthenticated (tickets are refreshed) whenever they log in at their local computer or enter kinit USER at the command prompt.The server provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.
MIT Kerberos Credential Cache File
This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.
This option requires that KRB5CCNAME has been created in your system.
To enable ticket retrieval via MIT Kerberos Credential Cache Files:
- Ensure that the KRB5CCNAME variable is present in your environment.
- Set KRB5CCNAME to a path that points to your credential cache file. (For example, C:\krb_cache\krb5cc_0 or /tmp/krb5cc_0.) The credential cache file is created when you use the MIT Kerberos Ticket Manager to generate your ticket.
- To obtain a ticket:
- Open the MIT Kerberos Ticket Manager application.
- Click Get Ticket.
- Enter your principal name and password.
- Click OK.
If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.
The server uses the cache file to obtain the Kerberos ticket to connect to DB2.
Note: If you would prefer not to edit KRB5CCNAME, you can use the KerberosTicketCache property to set the file path manually. After this is set, the server uses the specified cache file to obtain the Kerberos ticket to connect to DB2.
Keytab File
If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.
To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.
User and Password
If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.
To use this method, set the User and Password properties to the user/password combination that you use to authenticate with DB2.
Enabling Cross-Realm Authentication
More complex Kerberos environments can require cross-realm authentication where multiple realms and KDC servers are used. For example, they might use one realm/KDC for user authentication, and another realm/KDC for obtaining the service ticket.To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.