DB2 Help

Authentication Type (authentication)

Configuration Type

Database manager

Applies to

Database Server with local and remote clients
Client
Database Server with local clients
Partitioned Database Server with local and remote clients
Satellite Database Server with local clients

Parameter Type

Configurable

Default [Range]

SERVER [ CLIENT; SERVER; SERVER_ENCRYPT, DCS; DCS_ENCRYPT; DCE; DCE_SERVER_ENCRYPT ]

This parameter determines how and where authentication of a user takes place. If authentication is SERVER, then the user ID and password are sent from the client to the server so authentication can take place on the server. The value SERVER_ENCRYPT provides the same behavior as SERVER, except that any passwords sent over the network are encrypted. A value of CLIENT indicates that all authentication takes place at the client, so no authentication needs to be performed at the server. For a client-only node, CLIENT, SERVER, and DCS are effectively the same. The value DCS_ENCRYPT provides the same behavior as DCS, except that any passwords sent over the network are encrypted. A value of DCE means that authentication is performed using DCE Security Services. If you are using APPC and a communications product that does not expose the client's password to the DB2 server, you can specify DCS to obtain:

SERVER-type authentication for non-DRDA clients
CLIENT-type authentication for DRDA clients

Two authentication values support password encryption: SERVER_ENCRYPT and DCS_ENCRYPT. These values provide the same function as SERVER and DCS in terms of authentication location, except that any passwords that flow are encrypted at the source and require decryption at the target, as specified by the authentication type cataloged at the source. Encrypted and non-encrypted values with matching authentication locations can then be used to choose different encryption combinations between the client and gateway or the gateway and server, without affecting where authentication occurs. Some examples of how this can be used in a gateway scenario are as follows:

Authentication Gateway-Server at Client Authentication at Gateway Authentication Location Client-Gateway Encryption? Encryption?
SERVER_ENCRYPT SERVER Gateway Yes No
DCS_ENCRYPT DCS Server Yes No
DCS DCS_ENCRYPT Server No Yes
DCS_ENCRYPT DCS_ENCRYPT Server Yes Yes

Authentication Gateway-Server at Client	Authentication at Gateway	Authentication Location	Client-Gateway Encryption?	Encryption?
SERVER_ENCRYPT	SERVER	Gateway	Yes	No
DCS_ENCRYPT	DCS	Server	Yes	No
DCS	DCS_ENCRYPT	Server	No	Yes
DCS_ENCRYPT	DCS_ENCRYPT	Server	Yes	Yes

For the numeric equivalents and API constants for these values, refer to the API Reference.

The DCE_SERVER_ENCRYPT value is for use on a server only. This value indicates that the server can accept either DCE authentication or SERVER_ENCRYPT authentication.

Recommendation: Typically, the default (SERVER) is adequate.