5 The DB2 Data Provider : Authentication

Authentication
Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See “Authentication” for an overview.
The DB2 data provider supports the following methods of authentication:
This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos and MIT Kerberos.
NOTE: Because the database server does not authenticate the user when client authentication is used, use this method of authentication if you can guarantee that only trusted clients can access the database server.
Using the Authentication Method Connection String Option
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections.
When Authentication Method=Kerberos, the data provider uses Kerberos authentication when establishing a connection. The data provider ignores any values specified by the UserID and Password connection string options.
When Authentication Method=EncryptedUIDPassword, Authentication Method=EncryptedPassword, or Authentication Method=ClearText (the initial default), the data provider uses user ID/password authentication when establishing a connection. The User ID connection string option provides the user ID. The Password connection string option provides the password.
The set of credentials that are passed to the DB2 server depend on the specified value:
NOTE: If any of these values are set, the data provider also can use data encryption by setting the Encryption Method connection string option.
When Authentication Method=Client, the data provider uses the user ID of the user logged onto the system on which the data provider is running when establishing a connection. The DB2 database server relies on the client to authenticate the user and does not provide additional authentication. The data provider ignores any values specified by the User ID and Password connection string options.
Configuring User ID/Password Authentication
1
2
3
Configuring Kerberos Authentication
This section provides requirements and instructions for configuring Kerberos authentication for the DB2 data provider.
Product Requirements
Verify that your environment meets the requirements listed in Table 5-8 before you configure the DB2 data provider for Kerberos authentication.
 
Configuring the Data Provider
To configure the data provider to use Kerberos, set the Authentication Method connection string option to Kerberos.
Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)
By default, when Kerberos authentication is used, the DB2 data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.
There may be times when you want the data provider to use another set of user credentials. For example, many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user.
The following C# code snippet demonstrates how to use Windows impersonation to connect using Kerberos as a user other than the user under which the current process is running.
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using DDTek.DB2;
 
namespace ConsoleApplication50 {
 
   class Program {
 
      [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
      public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
         int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
 
      [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
      public extern static bool CloseHandle(IntPtr handle);
 
      static void Main(string[] args) {
 
         try {
 
            DB2Connection connection = new DB2Connection();
            connection.ConnectionString = "Host=db2test; Port=50000; Database Name=test; Authentication Method=Kerberos;";
            connection.Open();
 
            DB2Command command = connection.CreateCommand();
            command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
            string schema = (string)command.ExecuteScalar();
            Console.Out.WriteLine("Current user: " + schema);
 
            connection.Close();
 
            // Obtain the user token
            const int LOGON32_PROVIDER_DEFAULT = 0;
            //This parameter causes LogonUser to create a primary token.
            const int LOGON32_LOGON_INTERACTIVE = 2;
 
            IntPtr tokenHandle = new IntPtr(0);
 
            // Call LogonUser to obtain a handle to an access token.
            if (LogonUser("otheruser", "DOMAIN", "otherpassword",
                LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
                ref tokenHandle)) {
 
               WindowsIdentity wi = new WindowsIdentity(tokenHandle);
               WindowsImpersonationContext wic = wi.Impersonate();
 
               // Connect via Kerberos as otheruser
               connection.Open();
 
               command = connection.CreateCommand();
               command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
               schema = (string)command.ExecuteScalar();
               Console.Out.WriteLine("Current user: " + schema);
 
               connection.Close();
 
               // End impersonation
               wic.Undo();
 
               // Close handle
               if (tokenHandle != IntPtr.Zero) {
 
                  CloseHandle(tokenHandle);
               }
            }
 
            connection.Open();
 
            command = connection.CreateCommand();
            command.CommandText = "SELECT CURRENT_SCHEMA FROM SYSIBM.SYSDUMMY1";
            schema = (string)command.ExecuteScalar();
            Console.Out.WriteLine("Current user: " + schema);
 
            connection.Close();
      }
      catch (Exception e) {
 
         do {
 
              Console.Out.WriteLine(e.Message);
              e = e.InnerException;
         }
         while (e != null);
       }
     }
   }
}
For additional information on using Kerberos, refer to the Microsoft documentation.
Obtaining a Kerberos Ticket Granting Ticket
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows client, the application user does not need to explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
Configuring Client Authentication
Set the Authentication Method connection string option to Client.