TCP/IP ALREADY VERIFIED field (TCPALVER subsystem parameter)

The TCPALVER subsystem parameter specifies whether Db2 accepts TCP/IP connection requests that contain only a user ID, or if stronger forms of security or encryption are required. The TCPALVER value does not prevent connection requests that use stronger forms of security or encryption than it requires.

Acceptable values: NO (or SERVER), SERVER_ENCRYPT, YES (or CLIENT)
Default: NO (SERVER)
Update: option 46 on panel DSNTIPB
DSNZPxxx: DSN6FAC TCPALVER
Security parameter: Yes
Recommendation: Setting the TCPALVER subsystem parameter to SERVER_ENCRYPT provides the best security because connections are accepted only if user credentials are provided to authenticate the user ID, and strong encryption is used to protect the user ID and credentials in the network. For more information, see Sending encrypted passwords or password phrases from Db2 for z/OS clients.
Attention: This is a security-related parameter. A setting of YES or CLIENT provides minimal security. With YES or CLIENT, Db2 is subject to security attacks, because the identity of the user or process that is attempting to gain access is not verified. Specify these settings only if you have a highly secure network.
SERVER_ENCRYPT (recommended)

A user ID and password are required for connection requests. Kerberos tickets are also accepted. Also, one of the following conditions must be true:

  • The user ID and password is AES (Advanced Encryption Standard)-encrypted.
  • The connection is accepted on a port that ensures Application Transparent Transport Layer Security (AT-TLS ) policy protection, such as a Db2 security port (SECPORT).
Non-encrypted security credentials are not accepted unless the connection is secured by the TCP/IP network. DES-based (Data Encryption Standard) encryption is also considered insecure. If RACF PassTickets are used, Db2 must be permitted to execute the SAF IRRSPK00 service. That is, the use of SERVER_ENCRYPT requires a RACF PERMIT for Db2 (the user ID associated to the ssnmDIST started task ID) to execute the IRRSPK00 service, as shown in the following exempt RACF commands:
RDEF PTKTDATA IRRPTAUTH.SYEC1B.* UACC(NONE)
PE IRRPTAUTH.SYEC1B.* CLASS(PTKTDATA) ID(SYSDSP) ACCESS(READ)
SETR RACLIST(PTKTDATA) REFRESH
NO (or SERVER)

A user ID and password are required for connection requests, or the connection must be authenticated by a RACF PassTicket or Kerberos ticket. The user ID and password can be encrypted or non-encrypted.

Any connection that is allowed when the TCPALVER value is SERVER_ENCRYPT is also accepted. Connections can also be accepted on a port that ensures AT-TLS policy protection.

NO is the default setting.

SERVER can be used as an alternative to NO.

YES (or CLIENT)

A new connection can be accepted with a user ID only.

Any connection that is allowed when the TCPALVER value is NO (or SERVER) or SERVER_ENCRYPT is also accepted. Connections can also be accepted on a port that ensures AT-TLS policy protection.

CLIENT can be used as an alternative to YES.

This value must be the same for all members of a data sharing group.