Sending encrypted passwords or password phrases from Db2 for z/OS clients
As a requester, a Db2 for z/OS client can send connection requests that use 256-bit Advanced Encryption Standard (AES) or 56-bit Data Encryption Standards (DES) encryption security through a TCP/IP network to remote servers.
About this task
If the Db2 for z/OS client supports DRDA Security Manager (SECMGR) 9 or higher, and if z/OS ICSF is configured and started, the Db2 for z/OS client can send AES requests to a remote server. After the first successful connection, the Db2 for z/OS client can determine whether the remote server supports AES encryption security. If the remote server supports DRDA SECMGR 9 (or higher), the remote server accepts AES requests and encrypts the user IDs and passwords or password phrases that the client sends in AES.
If AES encryption is not available for the remote Db2 for z/OS server, the Db2 for z/OS client tries DES encryption. If DES encryption fails, the Db2 for z/OS client sends the user ID and password or password phrase in clear text.
See Security mechanisms for DRDA and SNA for more information about using DRDA encryption. See the Db2 for z/OS Program Directory for ICSF hardware and software requirements for AES encryption.
As a client, Db2 for z/OS supports only the IPNAMES.SECURITY_OUT option 'P' ("password") for AES encryption and decryption. Db2 for z/OS does not support the IPNAMES.SECURITY_OUT option 'D' ("user ID and security-sensitive data encryption") or 'E' ("user ID, password, and security-sensitive data encryption"). These outbound security options remain encrypted in DES.