DB2 Connect User's Guide

Authentication

As DB2 Connect administrator, in cooperation with your host or AS/400 database administrator, you can determine where user names and passwords are validated. There are five possibilities:

You determine where validation occurs by setting the authentication type parameter in the system database directory, and the security type parameter in the node directory for APPC or APPN nodes. For more information about updating these directories, see Updating Database Directories.

Notes:

  1. DB2 Connect itself performs no user validation. If you want to have the DB2 Connect workstation perform validation, the local security subsystem will be used to verify the userid and password provided with each CONNECT request. Therefore, when you set up a DB2 Connect Enterprise Edition server, if you will use AUTHENTICATION=SERVER, you must set up all the necessary userids and passwords on the server system.

  2. If you use DCE Directory Services, authentication works differently. For more information, see Security with DCE Directory Services.

The following authentication types are allowed with DB2 Connect:

CLIENT
The user name and password are validated at the client.

SERVER
The user name and password are validated at the DB2 Connect workstation. When no authentication is specified, SERVER is assumed.

SERVER_ENCRYPT
As for SERVER authentication, the user name and password are validated at the DB2 Connect workstation, but the transferred passwords are encrypted at the client and decrypted at the DB2 Connect workstation.

DCS
The user name and password are validated at the host or AS/400 database server.

DCS_ENCRYPT
As for DCS authentication, the user name and password are validated at the host or AS/400 database server, but the transferred passwords are encrypted at the client and, depending on the authentication type specified at the DB2 Connect workstation, decrypted at the DB2 Connect workstation or host or AS/400 database server.

DCE
The user name and password are validated at the DCE security server.

SERVER_ENCRYPT and DCS_ENCRYPT authentication have the same semantics as SERVER and DCS authentication in terms of authentication location. They differ in that any transferred passwords will be encrypted at the source (the client or the DB2 Connect server) and decrypted at the target (the DB2 Connect server or the host or AS/400 database server) as specified by the authentication type catalogued at the source.

Encrypted and non-encrypted values with matching authentication locations can then be used to choose different encryption combinations between client and DB2 Connect server or DB2 Connect server and host or AS/400 database server, while not affecting where authentication takes place. Here are some examples of how this might be used in a gateway scenario, where "gateway" is used to denote the DB2 Connect server:
Authentication at Client Authentication at Gateway Authentication Location Client-Gateway Encryption? Gateway-Server Encryption?
SERVER_ENCRYPT SERVER gateway yes no
DCS_ENCRYPT DCS server yes no
DCS DCS_ENCRYPT server no yes
DCS_ENCRYPT DCS_ENCRYPT server yes yes

The only APPC security parameter supported when either SERVER_ENCRYPT or DCS_ENCRYPT are used is SECURITY=NONE.

Notes:

  1. For any system database directory entry that DB2 Connect uses for establishing a connection, if the authentication parameter is not specified, then DB2 Connect will use authentication SERVER.

  2. As with DB2 Universal Database client-server communications, the authentication type is not required at a remote client attached to a DB2 Connect Enterprise Edition gateway. It may be specified there in order to help optimize performance, since then it does not need to be gotten from the gateway, thus reducing the elapsed time for transactions.

  3. In the case of a discrepancy between the value at the client and value at the gateway, the value specified at the DB2 Connect gateway takes precedence.

[ Top of Page | Previous Page | Next Page ]