Sending passwords or password phrases

Db2 provides several security mechanisms to send password or password phrase information.

About this task

Specifically, Db2 supports the following security mechanisms:

  • RACF® encrypted passwords
  • RACF PassTickets
  • Kerberos tickets
  • DRDA-encrypted passwords or password phrases or DRDA-encrypted user IDs with encrypted passwords or password phrases. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption.

If you have to send passwords or password phrases through the network, you can put the password or password phrase for a user ID in the PASSWORD column of the SYSIBM.USERNAMES table.

Recommendation: Use the DSNLEUSR stored procedure to encrypt passwords or password phrases in SYSIBM.USERNAMES. If the ICSF is installed and properly configured, you can use the DSNLEUSR stored procedure to encrypt passwords or password phrases in the SYSIBM.USERNAMES table. Db2 decrypts the password or password phrase during connection processing.

Db2 for z/OS® allows the use of RACF encrypted passwords or RACF PassTickets. However, workstations, such as Windows workstations, do not support these security mechanisms. RACF encrypted passwords are not a secure mechanism because they can be replayed. RACF PassTickets are not compatible with SECURITY_ENCRYPT; they are allowed only when the connections are secured by the TCP/IP network.

Recommendation: Do not use RACF encrypted passwords unless you are connecting to a previous release of Db2 for z/OS.