Managing access requests from remote applications

You can require remote users to pass several access checks before they reach Db2. You can use RACF® or a similar security subsystem to control access from a remote location.

While controlling access from a remote locations, RACF can do the following tasks:

• Verify an ID that is associated with a remote attachment request and check the ID with a password
• Generate PassTickets on the sending side. PassTickets can be used instead of passwords. A PassTicket lets a user gain access to a host system without sending the RACF password across the network.
• Verify a Kerberos ticket if your distributed environment uses Kerberos to manage user access and perform user authentication

You can also control access authentication by using the Db2 communications database (CDB). The CDB is a set of tables in the Db2 catalog that are used to establish conversations with remote database management systems. The CDB can translate IDs before it sends them to the remote system.

You can use the RACF DSNR general resource class for Db2 for access authentication. With RACF DSNR, you can control access to the Db2 server by the IDs that are defined to the ssnm.DIST profile with READ. In addition, you can use the port of entry (POE) checking by RACF and z/OS® Communications Server to protect against unauthorized remote connections to Db2.