TCP/IP ALREADY VERIFIED field (TCPALVER subsystem parameter)
The TCPALVER subsystem parameter specifies whether Db2 accepts TCP/IP connection requests that contain only a user ID, or if stronger forms of security or encryption are required. The TCPALVER value does not prevent connection requests that use stronger forms of security or encryption than it requires.
Acceptable values: | NO (or SERVER), SERVER_ENCRYPT, YES (or CLIENT) |
---|---|
Default: | NO (SERVER) |
Update: | option 46 on panel DSNTIPB |
DSNZPxxx: | DSN6FAC TCPALVER |
Security parameter: | Yes |
- SERVER_ENCRYPT (recommended)
-
A user ID and password are required for connection requests. Kerberos tickets are also accepted. Also, one of the following conditions must be true:
- The user ID and password is AES (Advanced Encryption Standard)-encrypted.
- The connection is accepted on a port that ensures Application Transparent Transport Layer Security (AT-TLS ) policy protection, such as a Db2 security port (SECPORT).
Non-encrypted security credentials are not accepted unless the connection is secured by the TCP/IP network. DES-based (Data Encryption Standard) encryption is also considered insecure. If RACF PassTickets are used, Db2 must be permitted to execute the SAF IRRSPK00 service. That is, the use of SERVER_ENCRYPT requires a RACF PERMIT for Db2 (the user ID associated to the ssnmDIST started task ID) to execute the IRRSPK00 service, as shown in the following exempt RACF commands:RDEF PTKTDATA IRRPTAUTH.SYEC1B.* UACC(NONE) PE IRRPTAUTH.SYEC1B.* CLASS(PTKTDATA) ID(SYSDSP) ACCESS(READ) SETR RACLIST(PTKTDATA) REFRESH
- NO (or SERVER)
-
A user ID and password are required for connection requests, or the connection must be authenticated by a RACF PassTicket or Kerberos ticket. The user ID and password can be encrypted or non-encrypted.
Any connection that is allowed when the TCPALVER value is SERVER_ENCRYPT is also accepted. Connections can also be accepted on a port that ensures AT-TLS policy protection.
NO is the default setting.
SERVER can be used as an alternative to NO.
- YES (or CLIENT)
-
A new connection can be accepted with a user ID only.
Any connection that is allowed when the TCPALVER value is NO (or SERVER) or SERVER_ENCRYPT is also accepted. Connections can also be accepted on a port that ensures AT-TLS policy protection.
CLIENT can be used as an alternative to YES.
This value must be the same for all members of a data sharing group.