This section provides some additional hints and tips about security for users of DB2 Connect.
Until DB2 Universal Database for OS/390 Version 5.1, connect requests that provided user IDs or passwords could fail with SQL30082 reason code 0, but no other indication as to what might be wrong.
DB2 Universal Database for OS/390 Version 5.1 introduced an enhancement which provides support for extended security codes. Specifying extended security will provide additional diagnostics, such as (PASSWORD EXPIRED) in addition to the reason code.
To exploit this, the DB2 Universal Database for OS/390 ZPARM installation parameter for extended security should be set to the value YES. Use the DB2 Universal Database for OS/390 installation panel DSN6SYSP to set EXTSEC=YES. You can also use DDF panel 1 (DSNTIPR) to set this. The default value is EXTSEC=NO. In the case of an expired password, PC, UNIX, Apple Macintosh, and Web applications using DB2 Connect will receive error message SQL01404.
If you wish to provide support for the DB2 Universal Database security option AUTHENTICATION=CLIENT, then use DB2 Universal Database for OS/390 installation panel DSNTIP4 (DDF panel 2) to set TCP/IP already verified security to YES.
Workstation ODBC and Java applications use dynamic SQL. This may create security concerns in some installations. DB2 Universal Database for OS/390 introduces a new bind option DYNAMICRULES(BIND) that allows execution of dynamic SQL under the authorization of either the owner or the binder. Refer to the Command Reference to see how DYNAMICRULES can be specified through DB2 Connect.
DB2 Universal Database and DB2 Connect provide a new CLI/ODBC configuration parameter CURRENTPACKAGESET in the DB2CLI.INI configuration file. This should be set to a schema name that has the appropriate privileges. An SQL SET CURRENT PACKAGESET schema statement will automatically be issued after every connect for the application.
Use the ODBC Manager to update DB2CLI.INI. See Installation and Configuration Supplement for further information.
If an SQL CONNECT statement returns a message indicating that the user ID's password has expired, with DB2 Connect Version 5.2 and later it is possible to change the password without signing on to TSO. Through DRDA, DB2 Universal Database for OS/390 can change the password for you.
The old password along with the new password and the verify password must be supplied by the user. If the security specified at the DB2 Connect Enterprise Edition server is DCS then a request to change the password is sent to the DB2 Universal Database for OS/390 database server. If the security specified is SERVER then the password on the DB2 Connect server is changed.
An additional benefit is that a separateLU definition is not required. Refer to the DB2 Connect Enterprise Edition Quick Beginnings manual for additional information.