Security mechanisms for Db2 for z/OS as a requester

As a requester, Db2 for z/OS chooses SNA or DRDA security mechanisms based on the network protocol and the authentication mechanisms that you use. Make sure to use network security, such as client certificate authentication, SSL connections that use AT-TLS, or IPSec, to secure DRDA authentication mechanisms over a network that is not secure.

If you use SNA protocols, Db2 supports the following SNA authentication mechanisms:

  • User ID only (already verified)
  • User ID and password
  • User ID and PassTicket

Authentication is performed based on SNA protocols, which means that the authentication tokens are sent in an SNA attach (FMH-5).

If you use TCP/IP protocols, Db2 supports the following DRDA authentication mechanisms:

  • User ID only (already verified)
  • User ID and password
  • User ID and PassTicket
  • Start of changeFL 505 Authentication token (with the activation of Db2 function level 505).End of change

If you use TCP/IP protocols with the z/OS Integrated Cryptographic Service Facility, Db2 also supports the following DRDA authentication mechanisms:

  • Encrypted user ID and encrypted password
  • Encrypted user ID and encrypted security-sensitive data

    Security-sensitive data is any input or output data. Examples are rows that are retrieved from a remote server, rows that are sent to the remote server, and SQL statement text.

Authentication is performed based on DRDA protocols, which means that the authentication tokens are sent in DRDA security flows. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption.