Sending encrypted passwords from workstation clients

Depending on the DRDA level, a remote client can use AES or DES encryption algorithm for sending passwords, user IDs and associated passwords, or other security-sensitive data to a DB2 for z/OS server. If the client explicitly requests AES encryption, only user IDs, passwords, or both are encrypted in AES, and any data in the request is encrypted in DES. Any persistent attempt to encrypt the data in AES causes the client to reject the connection request. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption. See the DB2 for z/OS Program Directory for ICSF hardware and software requirements for AES encryption.

To enable the DB2 for z/OS AES server support, you must install and configure z/OS Integrated Cryptographic Services Facility (ICSF). During DB2 startup, DSNXINIT invokes the MVS™ LOAD macro service to load various ICSF services, including the ICSF CSNESYE and CSNESYD modules that DB2 calls for processing AES encryption and decryption requests. If ICSF is not installed or if ICSF services are not available, DB2 cannot provide AES support, and DB2 terminates the connection.

To use DES encryption, you can enable DB2 Connect™ to send encrypted passwords by setting database connection services (DCS) authentication to DCS_ENCRYPT in the DCS directory entry. When a client application issues an SQL CONNECT statement, the client negotiates this support with the database server. If supported, a shared private key is generated by the client and server using the Diffie-Hellman public key technology, and the password is encrypted using 56-bit DES with the shared private key. The encrypted password cannot be replayed, and the shared private key is generated on every connection. If the server does not support password encryption, the application receives SQLCODE -30073 (DRDA security manager level 6 is not supported).

Attention: To protect your authentication information, use the z/OS Communications Server IP Application Transparent Transport Layer Security (AT-TLS) to secure your network connections. To complement the use of AT-TLS, set the TCPALVER subsystem parameter of installation panel DSNTIP5 to SERVER_ENCRYPT. Setting this parameter to SERVER_ENCRYPT provides the strongest level of security. Connections are accepted only if user credentials are provided to authenticate the user ID, and strong encryption is used to protect the user ID and credentials.