DB2 Connect User's Guide
As DB2 Connect administrator, in cooperation with your host or AS/400
database administrator, you can determine where user names and passwords are
validated. There are five possibilities:
- Validation at the client
- Validation at the DB2 Connect workstation
- Validation at both the DB2 Connect workstation and the host or AS/400
server
- Validation at the host or AS/400 server
- Validation at a DCE security server.
You determine where validation occurs by setting the Authentication type
parameter in the system database directory, and the Security type parameter in
the node directory for APPC or APPN nodes. For more information about
updating these directories, see Updating Database Directories.
Notes:
- DB2 Connect itself performs no user validation. If you want to have
the DB2 Connect workstation perform validation, the local security subsystem
will be used to verify the userid and password provided with each
CONNECT request. Therefore, when you set up a DB2 Connect
Enterprise Edition gateway, if you will use AUTHENTICATION=SERVER,
you must set up all the necessary userids and passwords on the gateway
system.
- If you use DCE Directory Services, authentication works
differently. For more information, see Security with DCE Directory Services.
The following authentication types are allowed with DB2 Connect Version
5:
- CLIENT
- The user name and password are validated at the client.
- SERVER
- The user name and password are validated at the DB2 Connect
workstation. When no authentication is specified, SERVER is
assumed.
- SERVER_ENCRYPT
- As for SERVER authentication, the user name and password are validated at
the DB2 Connect workstation, but the transferred passwords are encrypted at
the client and decrypted at the DB2 Connect workstation.
- DCS
- The user name and password are validated at the host or AS/400 database
server.
- DCS_ENCRYPT
- As for DCS authentication, the user name and password are validated at the
host or AS/400 database server, but the transferred passwords are encrypted at
the client and, depending on the authentication type specified at the DB2
Connect workstation, decrypted at the DB2 Connect workstation or host or
AS/400 database server.
- DCE
- The user name and password are validated at the DCE security
server.
SERVER_ENCRYPT and DCS_ENCRYPT authentication have the same semantics as
SERVER and DCS authentication in terms of authentication location. They
differ in that any transferred passwords will be encrypted at the source (the
client or the DB2 Connect server) and decrypted at the target (the DB2 Connect
server or the host or AS/400 database server) as specified by the
authentication type catalogued at the source. Encrypted and
non-encrypted values with matching authentication locations can then be used
to choose different encryption combinations between client and Connect server
or Connect server and host or AS/400 database server, while not affecting
where authentication takes place. Here are some examples of how this
might be used in a gateway scenario, where "gateway" is used to denote the
Connect server:
| Authentication at Client
| Authentication at Gateway
| Authentication Location
| Client-Gateway Encryption?
| Gateway-Server Encryption?
|
| SERVER_ENCRYPT
| SERVER
| gateway
| yes
| no
|
| DCS_ENCRYPT
| DCS
| server
| yes
| no
|
| DCS
| DCS_ENCRYPT
| server
| no
| yes
|
| DCS_ENCRYPT
| DCS_ENCRYPT
| server
| yes
| yes
|
The only APPC security parameter supported when either SERVER_ENCRYPT or
DCS_ENCRYPT are used is SECURITY=NONE.
Notes:
- For any system database directory entry that DB2 Connect uses for
establishing a connection, if the authentication parameter is not specified,
then DB2 Connect will use authentication SERVER.
- As with DB2 Universal Database client-server communications, the
authentication type is not required at a remote client attached to a DB2
Connect Enterprise Edition gateway, but it may be specified there in order to
help optimize performance, since then it does not need to be gotten from the
gateway, thus reducing the elapsed time for transactions.
- In the case of a discrepancy between the value at the client and value at
the gateway, the value specified at the DB2 Connect gateway takes
precedence.
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]
[ DB2 List of Books |
Search the DB2 Books ]