Administration Guide

Directory Services Security

When using DCE directory services in an environment without a DB2 Connect gateway, authentication is the same as is used for other clients accessing database servers. For more information, see Selecting an Authentication Method for Your Server.

When using DCE directory services in an environment with a DB2 Connect gateway, the DB2 Connect administrator determines where user names and passwords are validated. With DCE directories, specify the following:

The security type of the communication protocol in the database locator object representing the DB2 Connect workstation. (If a remote client is connected to the DB2 Connect Extended Edition gateway via an APPC connection, specify a security type of NONE in the DCE Locator Object of the gateway.)
The authentication type in the database object.
The security type of the communication protocol in the database object (or its associated locator object).
The authenticate at gateway token in the routing information object.

Table 74 shows the possible combinations of these values and where validation is performed for each combination using APPC connections. The combinations shown in this table are supported by DB2 Connect with DCE Directory Services.

Table 74. Valid Security Scenarios with DCE using APPC Connections

Database Object of the Server Routing Object Validation
Case Authentication Security Authenticate at Gateway
1 CLIENT SAME 0 Remote client (or DB2 Connect workstation)
2 CLIENT SAME 1 DB2 Connect workstation
3 SERVER PROGRAM 0 DRDA server
4 SERVER PROGRAM 1 DB2 Connect workstation and DRDA server
5 DCE NONE Not applicable DCE

	Database Object of the Server	Routing Object	Validation
Case	Authentication	Security	Authenticate at Gateway
`1`	`CLIENT`	`SAME`	`0`	Remote client (or DB2 Connect workstation)
`2`	`CLIENT`	`SAME`	`1`	DB2 Connect workstation
`3`	`SERVER`	`PROGRAM`	`0`	DRDA server
`4`	`SERVER`	`PROGRAM`	`1`	DB2 Connect workstation and DRDA server
`5`	`DCE`	`NONE`	`Not applicable`	DCE

Table 75 shows the possible combinations of these values and where validation is performed for each combination using TCP/IP connections. The combinations shown in this table are supported by DB2 Connect with DCE Directory Services.

Table 75. Valid Security Scenarios with DCE using TCP/IP Connections

Case Authentication Authenticate at Gateway Validation
1 CLIENT 0 Client
2 CLIENT 1 DB2 Connect workstation
3 SERVER 0 DRDA server
4 Not applicable Not applicable None
5 DCE Not applicable DCE

Case	Authentication	Authenticate at Gateway	Validation
`1`	`CLIENT`	`0`	Client
`2`	`CLIENT`	`1`	DB2 Connect workstation
`3`	`SERVER`	`0`	DRDA server
`4`	`Not applicable`	`Not applicable`	None
`5`	`DCE`	`Not applicable`	DCE

Each combination is applicable to both APPC and TCP/IP and is described in more detail below:

The user name and password are validated only at the remote client. (For a local client, the user name and password are validated only at the DB2 Connect workstation.)
The user is expected to be authenticated at the location he or she first signs on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities.
The user name and password are validated at the DB2 Connect workstation only. The password is sent across the network from the remote client to the DB2 Connect workstation but not to the DRDA server.
The user name and password are validated at the DRDA server only. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.
The user name and password are validated at both the DB2 Connect workstation and the DRDA server. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.
Because validation is performed in two places, the same set of user names and passwords must be maintained at both the DB2 Connect workstation and the DRDA server.
A DCE token is obtained from the DCE Security Server.

Notes:

For AIX-based systems, all users using security type SAME must belong to the AIX system group.
For AIX-based systems with remote clients, the instance of the DB2 Connect product running on the DB2 Connect workstation must belong to the AIX system group.
Access to a DRDA server is controlled by its own security mechanisms or subsystems; for example, the Virtual Telecommunications Access Method (VTAM) and Resource Access Control Facility (RACF). Access to protected database objects is controlled by the SQL GRANT and REVOKE statements.

[ Top of Page | Previous Page | Next Page ]