Db2i

Overview

This guide outlines the configuration steps for adding Db2i as a resource in StrongDM.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. StrongDM supports drivers compatible with Db2i via standard PostgreSQL wire protocol.

Use this guide to complete all necessary preparations for adding Db2i to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection. Once complete, you’ll be able to use the StrongDM Desktop application or CLI to connect.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports IBM Db2 i servers running version 7.3 or higher, including both on-premises and hosted deployments.

Db2 i is wire-compatible with PostgreSQL over its native protocol. Accordingly, StrongDM supports any clients leveraging the PostgreSQL wire protocol, including:

• psql, DBeaver, DataGrip, and other PostgreSQL-capable tools

• Application drivers/libraries like JDBC, libpq, or psycopg2

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) with network access to your Db2 i host and port (8471)

• If using secrets management tools for storing your database credentials, a Secret Store configured in StrongDM

On the Db2i side, you must have the following:

• Running Db2 i instance accessible over network

• Database user with proper access to the target database

• Network configuration (firewall, VPC, and so forth) allowing StrongDM node access

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

# Add Db2i datasource
sdm admin datasources add db2i db2i-prod
  --hostname="db2i.example.org"
  --port=8471
  --username="db2i_user"
  --password="secret"
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="12345"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="db2i-prod"
  --tags="env=production,team=dbadmin"

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Db2i resource
resource "sdm_db2i" "db2i_prod" {
  name             = "db2i-prod"
  hostname         = "db2i.example.org"
  port             = 8471
  username         = "db2i_user"
  password         = "secret"

  tls_required     = true
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  secret_store_id  = "se-e1b2"
  subdomain        = "db2i-prod"
  tags = {
    env  = "production"
    team = "dbadmin"
  }
}

Configuration Properties

The following configuration properties are required to define a Db2i datasource in StrongDM. These settings control how StrongDM connects to the database, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.

2. In the CLI, run sdm status to list the available datasources. Confirm that the resource is available.

3. Start a session. For example:

   Copy

   sdm connect db2i-prod

   See the CLI Reference documentation for details on sdm connect.

4. Connect using a PostgreSQL-compatible client. For example:

   Copy

   psql -h $PGHOST -p $PGPORT -U $PGUSER

5. In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to verify your session was captured.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

• Resource name or ID

• CLI error output or logs

• Node name and region