DB2 Connect User's Guide

Security Types

This section lists the various combinations of authentication and security settings that are supported with DB2 Connect over both APPC and TCP/IP connections.

The discussion which follows applies to both types of connection.

Security Types for APPC Connections

The following security types are allowed for APPC connections to specify what security information will flow at the communications layer:

SAME: Only the user name is passed to the host or AS/400 database server.
PROGRAM: The user name and password are passed to the host or AS/400 database server.
NONE: No security information flows.

Table 5 shows the possible combinations of these values and the authentication type specified on the DB2 Connect workstation, and where validation is performed for each combination. Only the combinations shown in this table are supported by DB2 Connect over APPC connections.

Table 5. Valid Security Scenarios for APPC connections

Case Authentication setting in the database directory entry at the DB2 Connect workstation Security Validation
1 CLIENT SAME Client
2 SERVER SAME DB2 Connect server
3 SERVER PROGRAM DB2 Connect server and host or AS/400 database server
4 SERVER_ENCRYPT or DCS_ENCRYPT NONE host or AS/400 database server
5 DCS PROGRAM host or AS/400 database server
6 DCE NONE DCE security server

Case	Authentication setting in the database directory entry at the DB2 Connect workstation	Security	Validation
1	CLIENT	SAME	Client
2	SERVER	SAME	DB2 Connect server
3	SERVER	PROGRAM	DB2 Connect server and host or AS/400 database server
4	SERVER_ENCRYPT or DCS_ENCRYPT	NONE	host or AS/400 database server
5	DCS	PROGRAM	host or AS/400 database server
6	DCE	NONE	DCE security server

If remote clients are connected to a DB2 Connect Enterprise Edition server, specify the following authentication and security types:

If a remote client is connected to a DB2 Connect server via APPC, specify a security type of NONE at the remote client.
If the authentication type in the database manager configuration at the DB2 Connect server is CLIENT, specify CLIENT at each remote client.
If the authentication type at the DB2 Connect server is SERVER, SERVER_ENCRYPT, DCS, or DCS_ENCRYPT, specify one of these types at each remote client. (Which of these 4 types you specify at the remote client makes no difference.)

Notes:

For AIX systems, all login users using APPC security type SAME must belong to the AIX system group.
For AIX systems with remote clients, the instance of the DB2 Connect product running on the DB2 Connect workstation must belong to the AIX system group.
Access to a host or AS/400 database server is controlled by its own security mechanisms or subsystems; for example, the Virtual Telecommunications Access Method (VTAM) and Resource Access Control Facility (RACF). Access to protected database objects is controlled by the SQL GRANT and REVOKE statements.

Security Types for TCP/IP Connections

The TCP/IP communication protocol does not support security options at the network protocol layer. Thus only the authentication type controls where authentication takes place. Only the combinations shown in this table are supported by DB2 Connect over TCP/IP connections.

Table 6. Valid Security Scenarios for TCP/IP connections

Case Authentication setting in the database directory entry at the DB2 Connect workstation Validation
1 CLIENT Client
2 SERVER or SERVER_ENCRYPT DB2 Connect workstation
3 Not applicable None
4 DCS or DCS_ENCRYPT host or AS/400 database server
5 DCE DCE security server

Case	Authentication setting in the database directory entry at the DB2 Connect workstation	Validation
1	CLIENT	Client
2	SERVER or SERVER_ENCRYPT	DB2 Connect workstation
3	Not applicable	None
4	DCS or DCS_ENCRYPT	host or AS/400 database server
5	DCE	DCE security server

Discussion of Security Types

The following discussion applies to both APPC and TCP/IP connections, as described above and listed in Table 5 and Table 6. Each case is described in more detail, as follows:

In case 1, the user name and password are validated only at the remote client. (For a local client, the user name and password are validated only at the DB2 Connect server.)
The user is expected to be authenticated at the location he or she first signs on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities that can be trusted.
In case 2, the user name and password are validated at the DB2 Connect server only. The password is sent across the network from the remote client to the DB2 Connect server but not to the host or AS/400 database server.
In case 3, the user name and password are validated at both the DB2 Connect server and the host or AS/400 database server. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the host or AS/400 database server.
Because validation is performed in two places, the same set of user names and passwords must be maintained at both the DB2 Connect server and the host or AS/400 database server.
In case 4, the user name and password are validated at the host or AS/400 database server only. The user ID and password are sent across the network from the remote client to the DB2 Connect server and from the DB2 Connect server to the host or AS/400 database server.
In case 5, a DCE encrypted ticket is obtained by the client from the DCE security server. The ticket is passed unaltered through DB2 Connect to the server, where it is validated by the server using DCE Security Services.

[ Top of Page | Previous Page | Next Page ]