User's Guide

Security Types

This section lists the various combinations of authentication and security settings that are supported with DB2 Connect Version 5.0 over both APPC and TCP/IP connections.

The discussion which follows applies to both types of connection.

Security Types for APPC Connections

The following security types are allowed for APPC connections, in order to specify what security information will flow at the communications layer:

SAME: Only the user name is passed to the DRDA server.
PROGRAM: The user name and password are passed to the DRDA server.
NONE: No security information flows.

Table 2 shows the possible combinations of these values and the authentication type specified on the DB2 Connect workstation, and where validation is performed for each combination. Only the combinations shown in this table are supported by DB2 Connect over APPC connections.

Table 2. Valid Security Scenarios for APPC connections

Case DB2 Connect Authentication Security Validation
1 CLIENT SAME Client
2 SERVER SAME DB2 Connect workstation
3 SERVER PROGRAM DB2 Connect workstation and DRDA server
4 DCS PROGRAM DRDA server
5 DCE NONE DCE security server

Case	DB2 Connect Authentication	Security	Validation
1	`CLIENT`	`SAME`	Client
2	`SERVER`	`SAME`	DB2 Connect workstation
3	`SERVER`	`PROGRAM`	DB2 Connect workstation and DRDA server
4	`DCS`	`PROGRAM`	DRDA server
5	`DCE`	`NONE`	DCE security server

If remote clients are connected to a DB2 Connect Enterprise Edition gateway, specify the following:

If a remote client is connected to a DB2 Connect gateway via APPC, specify a security type of NONE at the remote client.
If the authentication type in the database manager configuration at the DB2 Connect gateway is CLIENT, specify CLIENT at each remote client.
If the authentication type at the DB2 Connect gateway is either SERVER or DCS, specify either SERVER or DCS at each remote client. (Which of these two values you specify at the remote client makes no difference.)

Notes:

For AIX systems, all users using APPC security type SAME must belong to the AIX system group.
For AIX systems with remote clients, the instance of the DB2 Connect product running on the DB2 Connect workstation must belong to the AIX system group.
Access to a DRDA server is controlled by its own security mechanisms or subsystems; for example, the Virtual Telecommunications Access Method (VTAM) and Resource Access Control Facility (RACF). Access to protected database objects is controlled by the SQL GRANT and REVOKE statements.

Security Types for TCP/IP Connections

The TCP/IP communication protocol does not support security options at the network protocol layer. Thus only the authentication type controls where authentication takes place. Only the combinations shown in this table are supported by DB2 Connect over TCP/IP connections.

Table 3. Valid Security Scenarios for TCP/IP connections

Case DB2 Connect Workstation Authentication type Validation
1 CLIENT Client
2 SERVER DB2 Connect workstation
3 Not applicable None
4 DCS DRDA server
5 DCE DCE security server

Case	DB2 Connect Workstation Authentication type	Validation
1	`CLIENT`	Client
2	`SERVER`	DB2 Connect workstation
3	Not applicable	None
4	`DCS`	DRDA server
5	`DCE`	DCE security server

Discussion of Security Types

The following discussion applies to both APPC and TCP/IP connections, as described above and listed in Table 2 and Table 3. Each case is described in more detail, as follows:

In case 1, the user name and password are validated only at the remote client. (For a local client, the user name and password are validated only at the DB2 Connect workstation.)
The user is expected to be authenticated at the location he or she first signs on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities that can be trusted.
In case 2, the user name and password are validated at the DB2 Connect workstation only. The password is sent across the network from the remote client to the DB2 Connect workstation but not to the DRDA server.
In case 3, the user name and password are validated at both the DB2 Connect workstation and the DRDA server. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.
Because validation is performed in two places, the same set of user names and passwords must be maintained at both the DB2 Connect workstation and the DRDA server.
In case 4, the user name and password are validated at the DRDA server only. The user ID and password are sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.
In case 5, a DCE encrypted ticket is obtained by the client from the DCE security server. The ticket is passed unaltered through DB2 Connect to the server, where it is validated by the server using DCE Security Services.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

[ DB2 List of Books | Search the DB2 Books ]