Remote Db2 access

When the server is not the local Db2 subsystem, multiple security checks occur.

  • The local security manager at the server verifies the Db2 primary authorization ID and password. A subsequent verification determines whether the authorization ID is allowed to access Db2.
  • Security options for SNA or TCP/IP protocols are checked in the communications database (CDB).

DDF supports TCP/IP and SNA communication protocols in a distributed environment. As a requester or a server, Db2 chooses how to send or accept authentication mechanisms, based on which network protocol is used. Db2 uses SNA security mechanisms for SNA network connections and DRDA security mechanisms for TCP/IP or Kerberos network connections.

DRDA security options provide the following support for encrypting sensitive data:

  • Db2 for z/OS® servers can provide secure, high-speed data encryption and decryption.
  • Db2 for z/OS requesters have the option of encrypting user IDs and passwords when requesters connect to remote servers. Requesters can also encrypt security-sensitive data when communicating with servers so that the data is secure when traveling over the network.

You can use RACF® or a similar security subsystem to perform authentication. RACF can:

  • Verify a remote authorization ID associated with a connection by checking the ID against its password.
  • Verify whether the authorization ID is allowed to access Db2 through a remote connection.
  • Verify whether the authorization ID is allowed to access Db2 from a specific remote site.
  • Generate PassTickets, an alternative to passwords, on the sending side. A PassTicket lets a user gain access to a host system without sending the RACF password across the network.

Kerberos security

As a server, Db2 supports Kerberos security for authenticating remote users. The authentication mechanisms are encrypted Kerberos tickets rather than user IDs and passwords.

You can establish Db2 for z/OS support for Kerberos authentication through the z/OS Security Server. Kerberos is also a network security option for Db2 Connect clients.

Communications database

The Db2 communications database contains a set of Db2 catalog tables that let you control aspects of remote requests. Db2 uses this database to obtain information about connections with remote systems.

Workstation access

When a workstation client accesses a Db2 for z/OS server, Db2 Connect passes all authentication information from the client to the server. Workstation clients can encrypt user IDs and passwords when they issue a CONNECT statement. Database connection services (DCS) authentication must be set to DCS_ENCRYPT.

An authentication type for each instance determines user verification. The authentication type is stored in the database manager configuration file at the server. The following authentication types are allowed with Db2 Connect:

CLIENT
The user ID and password are validated at the client.
SERVER
The user ID and password are validated at the database server.
SERVER_ENCRYPT
The user ID and password are validated at the database server, and passwords are encrypted at the client.
KERBEROS
The client logs onto the server by using Kerberos authentication.